Another week and another (possible) data breach. According to this article, Staples is investigating a possible breach of payment card data. This is becoming way too commonplace, especially with the holidays fast approaching. From the article:
The office-supply retailer disclosed the investigation after security reporter Brian Krebs reported on his blog Krebsonsecurity.com that several banks have identified a pattern of payment card fraud suggesting that several Staples stores in northeastern United States had succumbed to a data breach.
Most people that use smartphones want strong encryption on their devices to protect their data. According to this article, the FBI does not share that stance. From the article:
US law enforcement’s top officials are not happy about Apple and Google updating their mobile devices to have encryption turned on by default.
FBI Director James Comey reproached the two companies in a speech before the Brookings Institution in Washington, D.C. on Thursday, 16 October.
Earlier this month, US Attorney General Eric Holder said that it’s “worrisome” for Google and Apple to “thwart” law enforcement’s ability to pursue investigations.
According to this post, attackers are using Universal Plug and Play (UPnP) devices to launch massive Distributed Denial of Service (DDoS) attacks. From the post:
PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That’s about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts.
This post is reporting that a group of hackers found a flaw in Microsoft Windows and leveraged it to spy on “Western governments, NATO, European energy companies and an academic organization in the United States”. From the post:
Patrick McBride, a spokesman with iSight, says the hackers targeted specific officials using a well-known kind of attack called spear-phishing. Hackers would craft a message with a PowerPoint document attached. For example, they’d say, “We’d like to be involved in the conference.”
Another week, another data breach. According to this article, Kmart has announced they have detected a breach against its store payment data systems. It is reported that their systems were breached since at least early September and that credit card numbers were stolen from their brick-and-mortar stores. From the article:
Kmart says it hasn’t seen any evidence that anything other than the numbers of customers’ debit and credit cards have been grabbed by the hackers, but there will obviously be concerns that the situation might turn out to be worse than initially feared.
In what appears to becoming a common thread between recent retail hacks, the card numbers compromised appear to have been stolen from actual retail stores, and not from those who purchased goods via the company’s website.
This article warns of a new threat that affects USB devices such as thumb drives. In July of this year, two researchers revealed information about a security flaw in these USB devices that could allow malware to be installed on them. This malware could take over any machine the device is plugged into. What’s really scary is current antivirus technology has no way of detecting these malicious devices. From the article:
To demonstrate, Nohl and Lell created BadUSB, malware that lives in a USB’s core. It rewrites the USB’s firmware, staying undetected as it self-installs and quietly wreaks havoc on devices and network systems the infected USB is connected to. Even worse, BadUSB remains imperceptible to antivirus software and mobile security apps, and lives on even after the contents of the drive and devices have been deleted and reformatted.
This newsletter provides five steps to staying secure online. The advice is provided for a non-technical audience. From the overview of the newsletter:
As technology gains a more important role in our lives, it also grows in complexity. Given how quickly technology changes, keeping up with security advice can be confusing. It seems like there is always new guidance ,on what you should or should not be doing. However while the details of how to stay secure may change over time, there are fundamental things you can always do to help protect yourself. Regardless of what technology.you are using or where you are using it, we recommend the following.
Last Wednesday Apple released iOS 8.0.1, and update to the latest and greatest operating system for mobile devices. Unfortunately, the update rendered many peoples devices unusable. According to this article, on Thursday Apple released instructions on how to roll back devices that installed the update. From the article:
An iOS 8.0.2 update is in the works, and it will also contain a fix for a significant HealthKit bug that popped up just ahead of the public release of iOS 8, Apple says.
This article is reporting that Apple is correcting a vulnerability on the iPhone to better protect your data. Prior to the fix, only small portion of the data on your iPhone was encrypted and Apple was apple to get at the rest of the data is required. From the article:
From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure.
This article discusses the severity of the Bash “shellshock” vulnerability that was released to the public last week.
In a nutshell, Bash is a command line interpreter that runs on operating systems such as Unix, Linux, and Mac OS X. The vulnerability lies in the fact that extra code can be sent to the Bash interpreter over the Internet which could allow an attacker to run arbitrary scripts. This vulnerability is huge as most of the operating systems mentioned include Bash by default and obviously, most of these systems are connected to the internet.
According to this article, Kevin Mitnick (coined by some as the world’s most notorious hacker) is now using his security consulting company to sell zero-day exploits, to those that can afford it at least. From the article:
Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.
Home Depot released a statement yesterday revealing details on their recent breach. According to the statement, 56 million unique payment cards were compromised in the attack. This surpasses the Target breach late last year where 40 million credit card and debit card numbers were compromised. The statement also goes on to say that the malware that was discovered on Home Depot systems was “unique, custom-built malware” and was not the same malware that compromised Target as initially reported.
According to this article, and based on a recently released report by the US Senate Armed Services Committee, Chinese hackers breached systems for military contractors at least 20 times in one year. From the article:
The committee’s investigation identified gaps in cyber-incident reporting requirements at the US Transportation Command (TRANSCOM), which is responsible for moving US troops and equipment, including to and from war zones.
This article provides some detail into the recently announced compromise of Home Depot customer data. According to the article, Home Depot tried to shore up its defenses in the wake of the Target breach late last year but it may have been too late. From the article:
By January, the group had produced recommendations that included new technology to fully encrypt payment card data at the chain’s 2,200 U.S. and Canadian stores. But it wasn’t until April—after months of testing—that Home Depot signed a more than $7 million contract with a data security provider to begin the work.
By then, the hackers might already have cracked the fourth-largest retailer’s payment systems. And by early September, when the company says it became aware it was hacked, the encryption system had only been rolled out to a quarter of its stores.
It is obvious why hackers would target organizations like Target and Home Depot, the info they are after includes customer and credit card data. This article discusses why hackers may target an organizations customer relationship management (CRM) data which might not be as obvious. From the article:
CRM data may not seem to be the low hanging fruit of, say, a nationwide sweep of Home Depot customer accounts, but a closer look suggests it is – and possibly even more lucrative for hackers. CRM data can contain everything from financial records, corporate email addresses, notes and documents about late-paying customers, intellectual property and sales forecast data.
One of the new features Apple is touting along with the release of the iPhone 6 is Apple Pay. This feature will allow users to pay for items from their iPhone. This article discusses the safety of using the iOS platform for making purchases. From the article:
So there is no copy of your credit card data, stored or used, that could be extracted, RAM scraped or skimmed by a crook, as happens in traditional credit card breaches. (Even Chip-and-PIN cards typically have a fallback magnetic stripe that can be skimmed to reveal data that a crook could misuse in subsequent online transactions.)
According to this article, and based on a study by a “group of national privacy and data protection bodies from all around the world”, the vast majority of smartphone apps provide inadequate information on the privacy implications associated with using these apps. From the article:
The study, conducted by the Global Privacy Enforcement Network (GPEN), looked at over 1200 apps with participants each tasked with looking at a handful developed in, or targeting users in, their own region.
It found that only 15% provided clear information on how the app gathers, uses and shares private data on the user, to an extent that the user could feel confident in their understanding of how it works.
More and more devices are being connected to the Internet which can be convenient but these devices are then exposed to remote hacking. This article discusses a proof-of-concept remote hack against a Cannon Pixma printer where a researcher installed and ran the game Doom on it. From the article:
Mr Jordon found that the Canon Pixma printer he used can be accessed via the internet using a web interface to check on queued jobs, device status and so on. The interface has no user name or password and is open to discovery. While this kind of info might not be particularly sensitive Jordon found that the printer firmware was also updatable via this web interface. He reverse engineered the encrypted firmware to reveal the computer code and thus discovered how to replace it with his own firmware which would in turn be accepted as authentic.