Uber Suffers A Data Breach

The names and license plate numbers of about 50,000 Uber drivers were exposed in a security breach last year, the company revealed on Friday.

Uber found out about a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.

The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.

It’s in the process of notifying the affected drivers and advised them to monitor their credit reports for fraudulent transactions and accounts. It said it hadn’t received any reports yet of actual misuse of the data.

Uber will provide a year of free identity protection service to the affected drivers, it said, which has become fairly standard for such breaches.

The company said it had filed a “John Doe” lawsuit Friday to help it confirm the identity of the party responsible for the breach.

Source

Hackers Infiltrate Jimmy Johns

Sandwich restaurant chain Jimmy John’s said there was a potential data breach involving customers’ credit and debit card information at 216 of its stores and franchised locations on July 30.

An intruder stole log-in credentials from the company’s vendor and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5, the company said.

The chain is the latest victim in a series of security breaches among retailers such as Target Corp, Michaels Stores Inc and Neiman Marcus.

Home Depot Inc  said last week some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than the breach at Target Corp.

More than 12 of the affected Jimmy John’s stores are in Chicago area, according to a list disclosed by the company.

The breach has been contained and customers can use their cards at its stores, the privately held company said.

Jimmy John’s said it has hired forensic experts to assist with its investigation.

“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online,” Jimmy John’s said.

The Champaign, Illinois-based company said stolen information may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date.

Source

UPS Breached

Credit and debit card information belonging to customers made purchases at 51 UPS Store Inc. locations in 24 states this year may have been illegally accessed as the result of an intrusion into the company’s networks.

In a statement on Wednesday, UPS said it was recently notified by law enforcement officials about a “broad-based malware intrusion” of its systems.

A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.

The intrusion may have exposed data on transactions conducted at the stores between Jan. 20 and Aug. 11, 2014. “For most locations, the period of exposure to this malware began after March 26, 2014,” UPS said in a statement.

In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses.

Each of the affected locations is individually owned and runs private networks that are not connected to other stores, UPS added. The company provided alist of affected locations.

The breach is the third significant one to be disclosed in the past week. Last Thursday, grocery store chain Supervalu announced it had suffered a malicious intrusion that exposed account data belonging to customers who had shopped at about 180 of the company’s stores in about a dozen states. The breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.

Source

Hackers Dupe Apple

Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.

According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.

They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.

The instructions for reassembly of the app arrive through a phone-home after the app is installed.

The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Source

Twitter’s Authentication Has Vulnerabilities

Twitter’s SMS-based, two-factor authentication feature could be abused to lock users who have not enabled it for their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users’ accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.

According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don’t have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.

An attacker who steals someone’s log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person’s account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won’t be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.

This is possible because Twitter doesn’t use any additional method to verify that whoever has access to an account via Twitter’s website is also authorized to enable two-factor authentication.

When the two-factor authentication option called “Account Security” is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click “yes,” even if they didn’t receive the message, Sullivan said.

Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.

As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter’s two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.

Twitter did not immediately respond to a request for comment regarding the issue described by Sullivan.

Source

Passwords Continue As The Weakest Link

Passwords aren’t the only failure point in many recent widely publicized intrusions by hackers.

But passwords played a part in the perfect storm of users, service providers and technology failures that can result in epic network disasters.  Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.

The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.

Password security is the common cold of our technological age, a persistent problem that we can’t seem to solve. The technologies that promised to reduce our dependence on passwords — biometrics, smart cards, key fobs, tokens — have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.

All of which makes password management a nightmare for IT shops. “IT faces competing interests,” says Forrester analyst Eve Maler. “They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts.”

Source…

Chase Building 1/2 Billion Dollar Data Center

The enthusiastic backer of Enron and serial over charger of  mortgage payers, JPMorgan Chase has just splashed out on a new $500 million data center.

CEO Jamie Dimon announced the move which practically everyone in the IT industry finds a bit strange. While Chase is the US’s largest bank, the new facilities are a little big by anyone’s standard. It is about the same about of money that Google and Microsoft in their largest data centres for their cloud networks.

Dimon cited the figure as one of the advantages of being a big size. It can afford to invest cash in this way. Size lets Chase build a $500 million data centre that speeds up transactions and invest billions of dollars in products like ATMs and apps that allow your iPhone to deposit cheques, he enthused.

JPMorgan Chase operates two large data centres in Delaware and a 400,000 square foot facility. It also acquired data centres in its deals for distressed rivals Bear Stearns and Washington Mutual in the early days of the 2008 financial crisis. So why it needs a huge new one is anyone’s guess.

Source…

Cisco Lends A Hand In Fighting Fraud

Cisco released an API at the Interop 2012 Conference this week for its branch routers designed to enable third-party developers to write applications to beef up the security of phone calls over the router network.

The Cisco UC Gateway Services API is a Web-based programming interface that allows customers and developers access to call information over a Cisco ISR G2 router at the edge of a voice network, such as signaling and media. This information can be used to detect and help prevent malicious activity such as social engineering and identity theft scams, contact center account takeover fraud, unauthorized network and service use, and denial-of-service attacks.

Applications written to the API can then apply appropriate action to terminate, redirect or record the call.

Cisco, citing data from the Communications Fraud Control Association, says global telecom fraud losses are estimated to be $40 billion annually.

Source…

Satellite Phone Encryption Cracked

German researchers claim to have cracked the algorithm that secures satellite phone transmissions.

Benedikt Driessen and Ralf Hund from Ruhr University have reverse engineered the GMR-1 and GMR-2 voice ciphers used in a lot of satellite systems. These are used by, among others, government agencies and the military.

Bjoern Rupp, CEO at GSMK Cryptophone said, “This breakthrough has major implications for the military, civilians engaged on overseas operations, or indeed anyone using satellite phones to make sensitive calls in turbulent areas.”

Their report is titled “Don’t Trust Satellite Phones” and shows how someone with a “suitably programmed computer” and software radio capable of receiving satellite frequencies can hack calls. These include ones made by disaster relief agencies and the military.

Source…

RIM’s Playbook Gets Jailbroken

Three hackers say they have taken advantage of a vulnerability in Research In Motion’s PlayBook tablet to gain root access to the device, a claim that could damage the BlackBerry maker’s stellar reputation for security.

Root access means a user has permission to change any file or program on a device and can control hardware functions.

In a response to questions concerning the issue, RIM said it is investigating the claim, and if a “jailbreak” is confirmed will release a patch to plug the hole.

The three hackers – who identify themselves as xpvqs, neuralic and Chris Wade – plan to release their data within a week as a tool called DingleBerry.

Apple’s iOS and Google’s Android operating systems are frequently attacked by users who want to run programs that have not been authorized by the manufacturers, but breaches of RIM’s software are more rare.

The PlayBook runs on a different operating system than RIM’s current BlackBerry smartphones. However, the QNX system will be incorporated into its smartphones starting next year.

Source…

Next Page »