Cisco Warns Of Bug In Virtual App

Cisco has warned of a default Secure Shell vulnerability in three of its virtual applications.

The flaw could allow attackers to decrypt traffic exchanged in the services, and has been detailed in a Cisco security advisory.

It affects Cisco’s Web Security Virtual Appliance (SMAv), Email Security Virtual Appliance and Security Management Virtual Appliance, which are already commercially available.

Cisco said that it “is not aware of any public announcements or malicious use of the vulnerabilities”, but warned that attackers who got hold of the private keys could decrypt communications with a man-in-the-middle attack.

The default private encryption keys were preinstalled on all three of the products, a move which is considered bad security practice.

“Successfully exploiting this vulnerability on Cisco SMAv allows an attacker to decrypt communication toward SMAv, impersonate SMAv, and send altered data to a configured content appliance,” the advisory said.

“An attacker can exploit this vulnerability on a communication link toward any content security appliance that was ever managed by any SMAv.”

Cisco has released a patch which deletes the preinstalled SSH keys and explains how customers can correct the problem.

The Cisco-sa-20150625-ironport SSH Keys Vulnerability Fix comes as part of several product upgrades, and must be manually installed from a command line interface.

Cisco’s advisory said that the patch is not required for physical hardware appliances, or for virtual appliance downloads or upgrades after 25 June.

Cisco revealed details of a new point of sale attack earlier this year that could part firms from money and customers from personal data.

The threat, called PoSeidon by the Cisco team, came at a time when eyes were on security breaches at firms like Target.

Cisco said in a blog post that PoSeidon is a threat that has the ability to breach machines and scrape them for credit card information.

Source

Yet Another Retailer System Hacked

Women’s clothing retailer Bebe Stores has become the latest in a growing list of national retailers to be hit by an attack on its credit card payment system.

The company said Friday that the cardholder name, account number, expiration date, and verification code could have been stolen by hackers who apparently had access to the company’s payment processing system between Nov. 8 and 26.

The incident came to light in late November when Bebe said it noticed suspicious activity on computers that operate the payment processing system. Stores affected were the roughly 200 it operates in the U.S., Puerto Rico and the U.S. Virgin Islands.

“If you used a payment card at a U.S., Puerto Rico or U.S. Virgin Islands store during this time frame, you should review your account statements for any unauthorized activity,” it said in a message to customers.

The last couple of years have been bad ones for the safety of credit card data at major U.S. retailers. Millions of credit and debit card numbers have been compromised in breaches at retailers, including Target, Home Depot, PF Chang’s restaurants, Super Valu grocery stores, Neiman Marcus, UPS Store and others.

In many cases, the attacks were targeted at payment processing terminals and used sophisticated malware that stole card details as consumers swiped their cards. Many of the thefts were only discovered after the card numbers appeared for sale on Internet hacking forums.

Such was the case with Bebe Stores. First news of the hack came earlier this week through the closely followed Krebs on Security blog.

Source

Dell Goes Bitcoin

Want to purchase a laptop with bitcoins? Dell is now accepting the digital currency as a form of payment.

Consumer and business shoppers can pay for products directly via bitcoins or through Coinbase, a third-party payment processing company, Dell said.

Buyers can pay for products through Bitcoin wallets or by scanning a QR code with a smartphone.

The volatile Bitcoin has had its share of controversies and exchange shutdowns as the currency matures. Companies like Overstock.com, Newegg, Expedia and some Amazon storefronts accept Bitcoin as a form of payment. But major retailers like Walmart and eBay have not warmed up to the idea. The value of one bitcoin was around $630 as of Friday, according to multiple cryptocurrency website.

There are some advantages to paying via Bitcoin. The form of currency is accepted around the world, and for Dell, the payment-processing cost is less than with credit cards.

But the form of payment has its quirks.

“Due to the nature of the Bitcoin network, once you initiate a Bitcoin transaction you cannot change or cancel it,” Dell said on a terms and conditions page.

Customers could seek refunds in the case of canceled transactions or product returns.

“For a qualifying return of product paid for in Bitcoin, any refund due will be remitted to the purchaser via check in U.S. Dollars for the full amount of the purchase price paid at the time of the original transaction, less any applicable restocking fees,” Dell said.

Source

eBay Expands Mobile Shopping

Braintree, the payments gateway owned by eBay Inc, is working on removing a hurdle for e-commerce companies by making it easier for customers to directly pay for products on their smart phones.

The company rolled out a set of tools for software developers on Wednesday that allows businesses to deduct payments directly from a customer’s PayPal account.

The developer kit is the first big push from Braintree since it was bought by eBay for $800 million last year to help PayPal, eBay’s payments division, expand its presence on mobile devices.

Eliminating the need for mobile shoppers to type in their credit card details on their phones should help boost sales, Braintree Chief Executive Bill Ready said in an interview.

This is especially critical as consumers spend more time on their smartphones, a trend that is forcing developers to design a “fundamentally different computing experience” for the smaller screen, Ready added.

Braintree processes payments for businesses including car service Uber and online home-rental marketplace Airbnb.

Source