Holly is a software engineer at BlackLocus, a big data analyzer for Home Depot. She discusses her journey into technology that started in college & took a big detour.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Holly Gibson (@hollyglot) | Twitter
• Women Who Code ATX (@wwcodeatx) | Twitter
• SSD Cloud Hosting – Linode
• BlackLocus
• Women Who Code Austin (Austin, TX) – Meetup
• Welcome | Women Who Code

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE:: So Angela, today we are going to talk to Holly Gibson. She is a programer for BlackLocus. Yes, it was awesome, which apparently has a reference to black hole, which is bad ass. Anyway, she is working kind of on data science and she went through boot camp and she does all sorts of cool things. And we talk about all of them.
ANGELA: Yes. It’s a very good interview that we are going to get into as soon as I mention that you can support this show. If you’re listening week after week and you like the content and you would like to help in some way, you can go to Patreaon.com/today. It is how the whole network of Jupiter Broadcasting is funded, but specifically, when you subscribe you are helping out Women’s Tech Radio as well. Patreon.com/today.
PAIGE: And we get started with today’s interview by asking Holly what she’s up to in tech today.
HOLLY: I’m a software engineer at BlackLocus. It’s a subsidiary of Home Depot and they do data science for Home Depot. They do a lot of web scraping and track all of Home Depot’s product catalog and their competitor’s prices so that they can price their products accurately. So lots of big data.
ANGELA: That’s really cool, because in a previous episode we were discussing that, was it Sears that needed a total IT aspect to it.
PAIGE: Yeah.
ANGELA: And so now this is similar. BlackLocus, you said?
HOLLY: Yes.
ANGELA: Yeah, for Home Depot.
HOLLY: Uh, Locus means place. They’re kind of like the black hole of the internet. They’re sucking in everything.
ANGELA: Wow.
PAIGE: I like that. That’s really cool.
ANGELA: Yeah, it is.
PAIGE: So we were essentially touching on the idea that at this point all companies are become tech companies.
ANGELA: Yeah.
HOLLY: Yes. Yes. Home Depot acquired them three years ago. They had become a client and immediately started negotiating to buy them, because their tool was so awesome.
PAIGE: Awesome. So you do data science, which I think of as kind of like a magical unicorn at this point, because no one is quite willing to nail down what that means in the tech sphere, so can you enlighten me?
HOLLY: Sure. I’m more on the software engineer side so I”m not writing the fancy algorithms that the data science people are. We’re working in Python and Java and Javascript to consume the data and wrap it and make it beautiful so that an average person can look at it and understand what it means.
PAIGE: Okay. So you write tools in Python and Javascript and stuff and then you take what they’ve done and make it so that someone like me can get their head around it?
HOLLY: Yes.
PAIGE: Very cool. What’s your favorite piece of that stack?
HOLLY: I really like all of it still. I”m a generalist engineer. I’m, you know, full stack as they say, but generalist. I dabble in a little bit of everything. I came out of a boot camp two years ago and my first job was working at an education startup doing everything from supporting the IT for the office to managing the serve and the databases, doing the front end and the back end. So I really like all of it. Mainly I like solving problems. So just let me solve problems. Let me use logic and my brain and I’m happy.
PAIGE: So, boot camp, is that the way that you got into the technology field?
HOLLY: Sort of. It was a reboot. I studied Javascript and databases in college and I took over the college website and I managed it for five years. And i really enjoyed it, but I was a one woman team and solo. So it was very lonely. I didn’t have any mentors at that time. You know, web applications were just coming out and it was before Facebook, so that’s how old I am. So people were just figuring stuff out and so I didn’t know how much I knew. I thought, I’m just a beginner. I don’t know very much. I’ve done this for five years. This is fun, but now I”m going to go try a bunch of other stuff. So I sold antiques on Ebay. I managed a restaurant. I did summer camps for kids with disabilities. And then two years ago I found out about a boot camp here in Austin, Texas, where I live, and my husband I signed up to do it together. It was a three-month program over the summer. The hardest thing I’ve ever done, but got through it and really enjoyed having teachers I could ask questions from, classmates along side of me. We were learning together. Building actual applications and projects. It was a really, really great experience.
PAIGE: What do you think was the major difference between studying at a university level and being in the boot camp. Maybe, was it the timeliness of it? Where the internet has grown so much and we have so much more to work with and so many more resources, or more like the way that the instruction was done? What was the real standout to you that made it stick this time around and didn’t last time?
HOLLY: The way the instruction was done. I think sometimes universities are behind the ball so the technology I was learning in school was already a couple years old. I went to a very small school and the classes were really little. Most of them I was by myself so the professor would hand me a text book and say go read this. Which was great, I was learning, but having the hands on experience of the boot camp really resonated with me. I’m a mechanical person. I like building. I like learning by projects. So it cemented the theory much more in my brain when I was actually doing stuff.
PAIGE: That makes total sense. So you mentioned in talking about your university that it was really confusing to you to tell what the next steps were and understanding how much you knew. Do you think that was — and then you mentioned a lack of mentors. Do you think that those two are kind of related and how have you tackled that this time around?
HOLLY: Sure. Yeah. The program that I studied in school wasn’t a traditional computer science program. It was a degree in Theology and they had just added web design, because they thought, well people might want websites. So I took all the classes, because I actually thought theology was boring. So I loved the web design and I wanted a job afterwards, and i didn’t want to be a minister. So the web design seemed like a good route to go, but then I, you know, after I had built some sites and when I was thinking about leaving the university, I wasn’t sure how to go about that, because I didn’t have computer science degree on my resume. I didn’t know anybody in computer science. All I knew is I liked web design and I had built some stuff, but I wasn’t sure how to translate that into getting a different job. And so I kind of just gave up and went and did other stuff where I knew I could sale myself in marketing, graphic design, and stuff. Since going through the boot camp, it was great because they had relationships with local companies. They recommended we go to meetups, that we looked for mentors, that we meet people in the local tech scene. And so immediately in the boot camp we started as a class going to different meetups. Going to the Javascripts meetup. Going to the Rails meetup. And then I was really lucky to go to a Women Who Code meetup that had just started here in Austin at our bootcamp. They had the first night there and I went and it was an informational meeting and I said how can I help? And the women said how would you like to run Austin Women Who Code. So-
PAIGE: The same thing happened to me.
ANGELA: Wow.
HOLLY: Yeah.
PAIGE: Yeah, not kidding.
HOLLY: So I took it over and now two years later we have 1,200 members and it’s been awesome. So that’s really been a great avenue for me to meet other women in tech, to find mentors. But what i tell the women in my group is go to the meetups. If you see someone talking intelligently about something and you want to know more, go ask them questions. They could turn into a mentor. Like I mentioned, my first job was at an education startup by myself. So again, that’s like a one woman team and I knew I needed help. And I knew where to go. So I went to the meetups. I met some people and I was like can you help me? Explain this code. I”m not understanding this. You know, I’m all by myself. And I said, yeah, let’s meet for coffee. And I said I”ll buy you coffee. I’ll buy you tacos, whatever you want. So one guy, we started meeting weekly for about four months and he explained code to me and design patterns and different things, and really got me over the first hump in my job. And since then I’ve been kind of networking through his friends and going, so do you know of someone who knows this, and someone who knows that. And just finding where the holes are in my knowledge and who can help me with those. There’s lots of online classes and blogs and videos and those are great. I learn mostly sitting with someone in pair programming and so I’ll read books and I will look up blogs. My best source of learning is from an actual physical person. So I really do like meeting. I write. Now I’m learning Haskell and functional programing so I meet weekly with my mentor, who came through my first mentor. And it’s great, because he has a master’s in Computer Science and he’s been doing this for 15 years and I can ask so many questions. I have this wealth of knowledge in that brain.
PAIGE: So did you find it with these mentors, were they resistant to the idea of being an official mentor or were they welcoming? How did you get over the fear of asking them for that relationship?
ANGELA: Or do they know that they’re your mentor?
PAIGE: Yeah, also that.
HOLLY: That’s a funny question. Yeah, a lot of them don’t like the label mentor, but they’re getting used to it. Most of them have been fascinated to teach a woman how to program, because some of them haven’t worked as often with a woman in programming. And I”m fine with being a social experiment for them.
PAIGE: You’re their token female programmer friend.
HOLLY: Yes. And I’m fine. If they want to explain things and teach me, that’s fine. I just make sure that it’s someone i connect with, you know, on a personality level. I’m not going to work with someone who’s going to speak down to me, you know, or be a programmer. And the guys I work with have been very nice and very supportive and want to start a mentorship program for Women Who Code so that they can get more women into tech. First of all, I didn’t say will you be my mentor. I would just say will you explain some code to me. And then if they’re willing to meet, then I”ll ask do you ever mentor people. And if they’re like, no I, I don’t and I’m not sure what that means, I’ll say well I’m learning this, would you mind explaining stuff with me. Could you work with me on a weekly or a bi-weekly, bi-monthly basis. What would fit in your schedule. So far, the people I’ve met, have said oh yeah I can meet with you weekly. I”ll buy them coffee. I make sure that I’m thanking them in some way. And they have all been really casual and nice about it. And I do the same. You know, I meet with women from my Women Who Code group. We have a Sunday morning ladies coding brunch and we code every Sunday morning. And I explain things to them that my mentors are teaching me. I think it’s important that people keep giving and raising up the people below them.
PAIGE: That was totally going to be my question for you and you answered it. Do you mentor as well? That’s very awesome that you do. I love that it’s a brunch.
ANGELA: Yeah.
PAIGE: That’s perfect. It’s just perfect. Very cool. So you go from like mentor first dating. Like, can you explain this thing to me? And then if it goes well you ask for more.
HOLLY: Yes.
PAIGE: So you filled out our awesome guest form and you mentioned this and I just have to ask about it, that you rebuilt a server from a remote cabin in Finland?
HOLLY: Yeah. So, last summer our server was hacked while I was on a two-week vacation in Finland. My mother-in-law is Finnish and she has a cabin on a lake. A lot of people do there. They have saunas and cabins and stuff. And so we were on — I was on the train with my husband and they have WiFI. Finland is, you know, great tech country. You know, that’s where Linux came from and Angry Birds and everything. So there’s WiFi on the train and I was checking my email and I saw that our server had been quarantined and over the next week I got to rebuild our server. I got a hotspot from the only electronic store in the village and had about three hours of sleep a night for a week.
PAIGE: Wow, that’s crazy. I do love that though about the modern world. It’s like you can be anywhere and do what we do.
HOLLY: Yeah. I was Facetiming with my boss. There was an eight hour difference and it would be 3:00 in the morning for her, but I was awake and telling her what I had fixed, where the progress was. And what happened is our app had been built by a backend team in Siberia and they had forgot to put a firewall on our elasticsearch engine, it has an open facing port and it didn’t have a firewall and a robot got installed and was DDosing other servers.
PAIGE: Oh man. That’s not fun.
HOLLY: No, but I got it fixed and that actually, that experience really made me feel like I can do this, because up to that point I’d been at that job straight out of the boot camp nine months. And it was nine months of being terrified. Do I know what I’m doing? I’m all by myself. You know, even with my mentor you have fear and sometimes the imposter syndrome and you can make things bigger than they really are in your head, because you’re not sure what’s going to happen. This is a whole new experience. You don’t know what’s coming down the road. And the unknown is more scary than the known. Well the worst thing that can happen to you is having your server hacked. But once I got through that I was like I can do anything. I’m not afraid anymore. I can solve anything.
PAIGE: Totally. So I can’t imagine that you went through that much ops during boot camp. At least with the boot camps I’ve been exposed to and know about, they don’t do a ton of server stuff. How did you dive into that? Was that something you brought from before or were you just kind of teaching yourself on the fly to fix this thing?
HOLLY: Everything I learned on the job. We used Linode so they did have some documentation. I knew the services that we used so I knew how to install them and set them up. Thankfully we used New Relic as a monitoring tool so I could see what processes were running and see that elasticsearch had a crazy amount of data being processed, because it was DdoSing other stuff. So having the right tools I think is also really important and thankfully the team in Siberia, even though they forgot the firewall, did set up New Relic and we have now — that company I had, after I came back we switched over to Herope so we didn’t have to worry about security anymore, but I still kept New Relic because I said I need to be able to see the different processes. I need to know the health of our application and what’s going on. I Googled a lot.
PAIGE: Right.
ANGELA: Yeah.
HOLLY: And Linode did have a brief document on how to deal with a quarantined server what tools to install to scan your files and make sure they weren’t corrupted. But mainly it was just me solving this big riddle of what happened, what’s going on, and how do I fix it.
PAIGE: That’s how I do things. You kind of dive in and start Googling.
ANGELA: Uh-huh.
HOLLY: Google knows.
PAIGE: How did you get to the point where you could kind of know what to Google? I’ve had that question from a lot of ladies as I start to mentor them or they come into Women Who Code and they’re like, well I don’t even know what to ask. Was a lot of that — where did that happen for you or did that happen for you?
HOLLY: Sure. That was one thing that I really appreciated from the boot camp. They worked with us on how do you Google. In the beginning the teachers would say oh well just Google it and I said I don’t know what to Google. Like what? What terms? Like if I’m trying to solve this how do I Google? Like what’s the tech speak. And so having them work with us a few times, then you started to get comfortable with realizing, okay these are the terms I need to search and is this bringing a result on Stack Overflow. Then I’m probably searching the right thing. You know, if I’m getting results for tech forums then, you just keep doing it and if it’s not returning the right thing, then switching out some terms and just trial and error.
PAIGE: Uh-huh.
HOLLY: Really helped. And time. As you do it more often and often then you’re going to start to know what are the key terms to search and it will get easier.
PAIGE: It is definitely a practiced skill, I would say, personally.
ANGELA: So I wanted to ask about your Ebay selling and you mentioned already a little bit that you were selling antiques.
HOLLY: Uh-huh.
ANGELA: So how did you even — did you get into Ebay when it was super — I think it was like ‘99 or 2000 that it really-
PAIGE: Yeah, right about then.
ANGELA: Became popular. When did you get into it and why?
HOLLY: 2009 is when I got into it, because my mother-in-law is a power seller. Her whole job is selling on Ebay. She had been doing it since ‘96. So after I left the university and I was looking at other things to do, she said well I can teach you a skill that you can use all the time, no matter what job you’re at. And so she showed me how to set up a store, so again, mentoring is so important.
ANGELA: Yes.
HOLLY: And she showed me how to take good pictures. She bought me a light box so that I could place the items in the light box and take quality photos and a scale so I could say how heavy the things were for jewelry. The different things that people want to know in the description of antique stuff. So having her as a resource was really great. And then also where to find the stuff. We went to a lot of estate sales and since my mother-in-law had been doing this for about 14 years she knew what kind of brands to look for and how to find good deals and we would buy box lots and sift through the stuff and she knew what could be sold by itself. What could be sold as an assortment. Having her as a mentor was great and it was fun. I never made enough money at it, because it’s something you have to really work at full time to build up enough inventory.
ANGELA: Yeah.
HOLLY: But my mother-in-law does it and she makes a good income and loves it.
PAIGE: Great.
ANGELA: I actually just went to a garage sale recently and it’s people that I actually know and they buy storage units that are unpaid and it’s just the luck of the draw. Everybody bids on it, whoever is the highest gets it. And then they have a garage sale. It’s a really interesting model, but a lot of work. A lot of footwork, but interesting.
HOLLY: A lot of footwork. So if you like that stuff, great. I was like man I don’t want to do this. This is taking me hours to make a few dollars.
ANGELA: Right. Right.
HOLLY: So I want to go work in an industry where I can make a nice amount of money for just an hour of work.
ANGELA: Yeah. If you’re passionate about finding really unique antiques or something I could see it being a fun thing to do on the side, but yeah, definitely not-
HOLLY: Definitely fun on the side.
ANGELA: A primary thing.
HOLLY: I got my furniture through an estate sale and so it’s nice to have that resource.
PAIGE: It’s amazing how, like, the skills we accumulate over a lifetime and how they affect everything.
ANGELA: Yes. Yes, definitely.
HOLLY: Yeah, it actually came back to be a benefit, because I judged at a Paypal Ebay Hackathon here in Austin and I got to say yeah I’m an Ebay seller.
PAIGE: Yeah, there you go. It’s always interesting. So one last question before we go. I wanted to know, since you mentioned it kind of before, like what tools do you use on a daily basis to do the work that you’re doing now? You said you’re in Python and Javascript, but what’s on your laptop kind of a thing?
HOLLY: Sure. The text editor I use is Sublime Text. I really like it. I have installed a bunch of different packages that help me work with the code. I use Mac, Macbook so I use iTerm as my terminal. I’m running in a virtual environment for Python using VIrtual ENBS and, let’s see, for (indiscernible) testing we like to use Gulp or Karma. We are using Elasticsearch and Redis for our search engine. The whole team is on HipChat and then Slack if HipChat breaks.
ANGELA: NIce to have an alternative.
HOLLY: Yes. And we have a lot of fun making our own little GIFs to have emoticons. I would say those are the main tools that I’m using. We use AWS for our servers and our fancy ops guys do all of our builds at Debian packages so builds have to be done on a Linux machine, but most of the team is on Macbooks.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember, you can find the full transcript of the show over at JupiterBroadcasting.com in the show notes. You can also catch us on Twitter, @HetyWTR or email us, WTR@JupiterBroadcasting.com
PAIGE: You can also find us and subscribe on any podcasting network of your choice, including iTunes. Or check us out on YouTube if you are not a podcast person or have a friend who’s not a podcast person. Please feel free to recommend us. You can also email us directly if you have comments, feedback, or people you’d like to hear on the show’ we’d love to hear about it. Our email is WTR@JupiterBroadcasting.com Thanks so much for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Not a Bro-grammer | WTR 42 first appeared on Jupiter Broadcasting.

Did Home Depot get struck by the same malware that attacked Target? How the FBI found the Silkroad server, and Reddit just got a big cash infusion… But is it enough?

Plus a nostalgic look back at the WORM drive & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Reddit Raising Big Funding Round With Help From Y Combinator Contacts

Reddit, the social news site with a big Web footprint, is raising a big funding round — with help from some of the people who helped launch the site nine years ago, including co-founder Alexis Ohanian and other people associated closely with startup incubator Y Combinator.

Sources said the site has reached a preliminary agreement to sell less than 10 percent of the company for more than $50 million. That could give the company a valuation of upwards of $500 million.

Home Depot Hit By Same Malware as Target — Krebs on Security

The apparent credit and debit card breach uncovered last week at Home Depot **was aided in part by a new variant of the same malicious software program that stole card account data from cash registers at **Target last December, according to sources close to the investigation.

A source close to the investigation told this author that an analysis revealed at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.

BlackPOS also was found on point-of-sale systems at Target last year. What’s more, cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator[dot]cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack.

—

Other clues in the new BlackPOS malware variant further suggest a link between the cybercrooks behind the apparent breach at Home Depot and the hackers who hit Target. The new BlackPOS variant includes several interesting text strings. Among those are five links to Web sites featuring content about America’s role in foreign conflicts, particularly in Libya and Ukraine.

One of the images linked to in the guts of the BlackPOS code.

Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.

Dread Pirate Sunk By Leaky CAPTCHA — Krebs on Security

“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

• Nik Cubrilovic – New Web Order » Analyzing the FBI’s Explanation of How They Located Silk Road

Doubts cast over FBI ‘leaky CAPTCHA’ Silk Road rapture • The Register

“The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me — but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many Bitcoin (with little legal implication if you managed to steal them).”

Moreover, an externally hosted image would still be routed over Tor and any packet sniffer would be unable to detect the Silk Road’s IP address.

Cubrilovic claimed it was more likely the FBI found and exploited a security vulnerability or discovered an information leak in the Silk Road login page and application.

CenturyLink Said to Seek to Acquire Rackspace Hosting – Bloomberg

CenturyLink has discussed the idea with San Antonio-based Rackspace, which last month said it is still conducting an internal review of its strategic options, according to the people, who asked not to be identified talking about private information. One person said a deal may not be reached for the company, which had a stock-market valuation of $5.33 billion at the end of last week.

Odds of the deal going through are less than 50 percent unless Rackspace is willing to take payment in stock or enter a joint venture, Jaegers said. CenturyLink wants to avoid a debt downgrade that may come with financing a large deal, she said.

What is WORM (write once, read many)?

In computer storage media, WORM (write once, read many) is a data storage technology that allows information to be written to a disc a single time and prevents the drive from erasing the data. The discs are intentionally not rewritable, because they are especially intended to store data that the user does not want to erase accidentally. Because of this feature, WORM devices have long been used for the archival purposes of organizations such as government agencies or large enterprises. A type of optical media, WORM devices were developed in the late 1970s and have been adapted to a number of different media. The discs have varied in size from 5.25 to 14 inches wide, in varying formats ranging from 140MB to more than 3 GB per side of the (usually) double-sided medium. Data is written to a WORM disc with a low-powered laser that makes permanent marks on the surface.

• IBM 3363 optical WORM drive | 102671161 | Computer History Museum

The post Grand Theft Depot | Tech Talk Today 54 first appeared on Jupiter Broadcasting.

Home Depot is breached, and the scale could be much larger than the recent Target hack & we discuss the explosion of fake cell towers in the US, and whats behind it. Then the tools used in the recent celebrity photo leak & the steps that need to be taken.

Plus a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Krebs: Banks report breach at Home Depot. Update: Almost all home depot stores hit

• Sources from multiple banks have reported to Brian Krebs that the common retailer in a series of stolen credit cards appears to be Home Depot
• Home Depots Spokesperson Paula Drake says: “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
• “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period”
• “The breach appears to extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico”
• Zip-code analysis shows 99.4% overlap between stolen cards and home depot store locations
• This is important, as the fraud detection system at many banks is based on proximity
• If a card is used far away from where the card holder normally shops, that can trigger the card being frozen by the bank
• By knowing the zip code of the store the cards were stolen from, the criminal who buys the stolen card information to make counterfeit cards with, can use cards that are from the same region they intent to attack, increasing their chance of successfully buying gift cards or high value items that they can later turn into cash
• The credit card numbers are for sale on the same site that sold the Target, Sally Beauty, and P.F. Chang’s cards
• “How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.”
• Some retailers, including Urban Outfitters, say they do not plan to notify customers, vendors or the authorities if their systems are compromised

Fake cell towers found operating in the US

• Seventeen mysterious cellphone towers have been found in America which look (to your phone) like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose. Source: Popular Science
• Mobile Handsets are supposed to warn the user when the tower does not support encryption, as all legitimate towers do support encryption, and the most likely cause of a tower not supporting encryption, is that it is a rogue tower, trying to trick your phone into not encrypting calls and data, so they can be eavesdropped upon
• The rogue towers were discovered by users of the CryptoPhone 500, a Samsung SIII running a modified Android that reports suspicious activity, like towers without encryption, or data communications over the baseband chip without corresponding activity from the OS (suggesting the tower might be trying to install spyware on your phone)
• “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one near the South Point Casino in Las Vegas.”
• “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
• Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
• The Oakland Police Department, the nearby Fremont Police Department, and the Alameda County District Attorney jointly applied for a grant from the Department of Homeland Security to “obtain a state-of-the-art cell phone tracking system,” the records show.
• Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
• According to Harris’ annual report, which was filed with the Securities and Exchange Commission last week, the company profited over $534 million in its latest fiscal year, the most since 2011.
• Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
• Last year, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
• According to the newly released documents, the entire upgrade will cost $460,000—including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD). Neither the OPD nor the mayor’s office immediately responded to requests for comment.
• One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
• Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
• Cities scramble to upgrade “stingray” tracking as end of 2G network looms

The Nude Celebrity Photo Leak Was Made Possible By Law Enforcement Software That Anyone Can Get

• Elcomsoft Phone Password Breaker requires the iCloud username and password, but once you have it you can impersonate the phone of the valid user, and have access to all of their iCloud information, not just photos
• “If a hacker can obtain a user’s iCloud username and password, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
• “It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way”
• All of this still requires the attacker to know the celebrities username and password
• This is where iBrute came in
• A simple tool that takes advantage of the fact that when Apple built the ‘Find My iPhone’ service, they failed to implement login rate limiting
• An attacker can sit and brute force the passwords at high speed, with no limitations
• The API should block an IP address after too many failed attempts. This has now been fixed
• Another way to deal with this type of attack is to lockout an account after too many failed attempts, to ensure a distributed botnet cannot do something like try just 3 passwords each from 1000s of different IP addresses
• When it becomes obvious that an account is under attack, locking it so that no one can gain access to it until the true owner of the account can be verified and steps can be taken to ensure the security of the account (change the username?)
• The issue with this approach is that Apple Support has proven to be a weak link in regards to security in the past. See TechSNAP Episode 70 .
• Obviously, the iPhone to iCloud protocol should not depend of obscurity to provide security either. We have seen a number of different attacks against the iPhone based on reverse engineering the “secret” Apple protocols
• Security is often a trade-off against ease-of-use, and Apple keeps coming down on the wrong side of the scale

Feedback:

• Server Setup: Windows Man Gone To The Darkside.

• ZFS Snapshots

• Puppet or CFEngine

• Question about online banking security

• PFSense Bandwidth Limiters Don’t Work with Squid Web Cache Package

Round Up:

• Watch Infected Windows Machines Interact with Each Other in a “Virus Farm” – We Can Has The Technology
• Prolexic (owned by Akamai) sounding alarm about IptabLes and IptabLex infections. Attackers are using unmaintained servers to launch large DDoS attacks
• WordPress 4.0 “Benny”
• Stick Figure’s guide to AES encryption
• Twitter now pays bounties for vulnerabilities
• Another WPS flaw, crack some wireless routers in a single try
• IEEE publishes paper “Avoiding the top 10 software security design flaws”
• Technical Difficulties with home delivery by drones
• Microsoft still struggling with last months patch tuesday patches
• Shortage of skilled security people leads to hiring problems for enterprises. Skilled people change jobs every 2-3 years for large pay bumps, leads to a lack of retained ‘institutionalized security’ and ‘operational knowledge’
• NameCheap reports bit russian list of usernames and passwords being used against accounts, some successful logins
• Intel announces new i7-5960x processor and new X99 chipset. 8 cores (16 with hyperthreading), 3ghz (turbo boost to 3.5ghz), 20mb cache, support for up to 64 gigabytes of DDR4 across 4 channels, 40 lanes of PCI-E 3.0, 10 SATA3 ports, 6 USB3 and 8x USB2
• Microsoft to defy federal court order and not turn over emails stored in europe to US authorities

The post Home Depot Credit Repo | TechSNAP 178 first appeared on Jupiter Broadcasting.