Sign up for our Technology Newsletter 
UPS Breached
Credit and debit card information belonging to customers made purchases at 51 UPS Store Inc. locations in 24 states this year may have been illegally accessed as the result of an intrusion into the company’s networks.
In a statement on Wednesday, UPS said it was recently notified by law enforcement officials about a “broad-based malware intrusion” of its systems.
A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.
The intrusion may have exposed data on transactions conducted at the stores between Jan. 20 and Aug. 11, 2014. “For most locations, the period of exposure to this malware began after March 26, 2014,” UPS said in a statement.
In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses.
Each of the affected locations is individually owned and runs private networks that are not connected to other stores, UPS added. The company provided alist of affected locations.
The breach is the third significant one to be disclosed in the past week. Last Thursday, grocery store chain Supervalu announced it had suffered a malicious intrusion that exposed account data belonging to customers who had shopped at about 180 of the company’s stores in about a dozen states. The breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.
OpenSSL Gets Updated
OPENSSL, the web security layer at the center of the Heartbleed vulnerability, has been issued with a further nine critical patches.
While none are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities stem from various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July of this year.
Among the more interesting fixes involves a flaw in the ClientHello message process. If a ClientHello message is badly fragmented, it is vulnerable to a man-in-the-middle attack which could be used to force the server to downgrade itself to the TLS 1.0 protocol, a fifteen year old and therefore pre-Heartbleed patch variant.
Other reports include memory leaks caused by denial of service attacks (DoS) and conversely, crashes caused by an attempt to free up the same portions of memory twice.
OpenSSL now has two full time coders as a result of investment by a consortium of Internet industry companies to form the Core Infrastructure Initiative, a not-for-profit group administered by the Linux Foundation. The Initiative was set up in the wake of Heartbleed, as the industry vowed to ensure such a large hole would never be left unplugged again.
While OpenSSL is used by a large number of encrypted sites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.
Google recently announced that it would be lowering the page rankings of unencrypted pages in its search results as an added security measure.
Hackers Going After Traffic Signs
After hackers played several high-profile pranks with traffic signs, including warning San Francisco drivers of a Godzilla attack, the U.S. government advised operators of electronic highway signs to take “defensive measures” to better secure their property.
Last month, signs on San Francisco’s Van Ness Ave were photographed flashing “Godzilla Attack! Turn Back” and highway signs across North Carolina were tampered with last week to read “Hack by Sun Hacker.”
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, this week advised cities, highway operators and other customers of digital-sign maker Daktronics Inc to take “defensive measures” to minimize the possibility of similar attacks.
It said that information had been posted on the Internet advising hackers how to access those systems using default passwords coded into the company’s software. “ICS-CERT recommends entities review sign messaging, update access credentials and harden communication paths to the signs,” the agency said in an alert posted on Thursday.
Jody Huntimer, a representative for Daktronics, declined to say if the recent attacks involved the bug reported by ICS-CERT.
“We are working with the ICS-CERT team to clarify the current alert and will release a statement once we have assessed the situation and developed customer recommendations,” Huntimer said via email.
Krebs on Security, a widely read security blog, posted a confidential report from the Center for Internet Strategy, or CIS, which was sent to state security officials. It warned that the pranks created a public safety risk because drivers often slow or stop to view the signs and take pictures.
CIS also predicated that amateur hackers might attempt to hack into other systems in the coming weeks following the May 27 release of “Watch Dogs,” a video game from Ubisoft focused on hacking critical infrastructure.
PoS Cyber Attacks Up In 2013
June 4, 2014 by admin
Filed under Around The Net
Comments Off on PoS Cyber Attacks Up In 2013
A third of data intrusion investigated by security firm Trustwave last year involved compromises of point-of-sale (POS) systems and over half of all intrusions targeted payment card data.
Even though POS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.
E-commerce intrusions accounted for 54 percent of investigated data breaches and POS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.
According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from POS transactions in 19 percent of attacks.
In Western Europe in particular, where countries have rolled out EMV — chip-and-PIN payment card transactions — cybercriminals shifted their focus from POS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”
However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.
Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that’s why there’s been an uptick in attacks focusing on such data, Yeo said.
Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.
Is RedHat Being Open?
Red Hat has responded to claims that its implementation of Openstack isn’t as open as it should be.
A report at the Wall Street Journal this week suggested that Red Hat was blocking customers from using alternatives to the bespoke version of Openstack that it offers.
Red Hat provides Openstack with extended support by the company, however in spirit of open source, users should be entitled to use another vendor’s Openstack software, the generic Openstack, or create their own fork.
In reality though, the Wall Street Journal report suggests that Red Hat customers have been advised that Red Hat will not support mixed vendor software, that it has claimed it would cost the company too much to support multiple Openstack distributions and that Red Hat Linux and Red Hat Openstack are too closely intertwined to be separated.
Openstack’s open character is part of what makes it what it is, it’s embedded in the name, and Red Hat has been quick to distance itself from the report, though it does hedge a bit.
In a blog post, Paul Cormier, president of the company’s Products and Technologies division said, “Red Hat believes the entire cloud should be open with no lock-in to proprietary code. Period. No exceptions. Lock-in is the antithesis of open source, and it goes against everything Red Hat stands for.”
However, he went on to warn, “[Red Hat Enterprise Linux OpenStack Platform] requires tight feature and fix alignment between the kernel, the hypervisor, and Openstack services. We have run into this in actual customer support situations many times.”
In other words, its advice to customers is seemingly ‘of course you can do it, but you’d have to be a bit daft’.
He went on to explain, “Enterprise-class open source requires quality assurance. It requires standards. It requires security. Openstack is no different. To cavalierly ‘compile and ship’ untested Openstack offerings would be reckless. It would not deliver open source products that are ready for mission critical operations and we would never put our customers in that position or at risk.”
Which suggests that Red Hat will let you use your own version, unless it’s not happy with it, in which case it won’t.
In a swipe at HP, Cormier concluded by attacking its rival, saying, “We would celebrate and welcome competitors like HP showing commitment to true open source by open sourcing their entire software portfolio.”
HP, which recently launched its HP Helion brand for Openstack, would probably argue that it has already done this, so the war of words might just be beginning.
Many Websites Still Exposed
The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.
On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.
Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.
Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.
The bug had been introduced in OpenSSL in late 2011.
Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.
The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.
The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.
While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.
Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.
Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.
Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.
Dell RedHat Join Forces
The Dell Red Hat Cloud solution, a co-engineered, enterprise grade private cloud, was unveiled at the Red Hat Summit on Thursday.
The Openstack-based service also includes an extension of the Red Hat partnership into the Dell Openshift Platform as a Service (PaaS) and Linux Container products.
Dell and Redhat said their cloud partnership is intended to “address enterprise customer demand for more flexible, elastic and dynamic IT services to support and host non-business critical applications”.
The integration of Openshift with Redhat Linux is a move towards container enhancements from Redhat’s Docker platform, which the companies said will enable a write-once culture, making programs portable across public, private and hybrid cloud environments.
Paul Cormier, president of Products and Technologies at Red Hat said, “Cloud innovation is happening first in open source, and what we’re seeing from global customers is growing demand for open hybrid cloud solutions that meet a wide variety of requirements.”
Sam Greenblatt, VP of Enterprise Solutions Group Technology Strategy at Dell, added, “Dell is a long-time supporter of Openstack and this important extension of our commitment to the community now will include work for Openshift and Docker. We are building on our long history with open source and will apply that expertise to our new cloud solutions and co-engineering work with Red Hat.”
Dell Red Hat Cloud Solutions are available from today, with support for platform architects available from Dell Cloud Services.
Earlier this week, Red Hat announced Atomic Host, a new fork of Red Hat Enterprise Linux (RHEL) specifically tailored for containers. Last year, the company broke bad with its Fedora Linux distribution, codenamed Heisenbug.
Source
Malware Targets Job-seekers
April 10, 2014 by admin
Filed under Around The Net
Comments Off on Malware Targets Job-seekers
A new version of the Gameover computer Trojan is targeting job hunters and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts.
Gameover is one of several Trojan programs that are based on the infamous Zeus banking malware, whose source code was leaked on the Internet in 2011. Like Zeus, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers.
The ability to inject content into browsing sessions in real time has traditionally been used by computer Trojans to steal online banking credentials and financial information. However, cybercriminals are increasingly using this technique to compromise other types of accounts as well.
For example, in February, researchers from security firm Adallom found a Zeus variant that stole Salesforce.com log-in credentials and scraped business data from the compromised accounts.
The latest development involves a new Gameover variant that contains a configuration file to target Monster.com accounts, one of the largest employment websites in the world, security researchers from antivirus firm F-Secure said.
“A computer infected with Gameover ZeuS will inject a new ‘Sign In’ button [into the Monster.com sign-in page], but the page looks otherwise identical,” they said.
After the victims authenticate through the rogue Web form the malware injects a second page that asks them to select and answer three security questions out of 18. The answers to these questions expose additional personal information and potentially enable attackers to bypass the identity verification process.
Targeting Monster.com is a new development, but the Gameover malware had already been targeting CareerBuilder.com, another large employment website, for some time.
Recruiters with accounts on employment websites should be wary of irregularities on log-in pages, especially if those accounts are tied to bank accounts and spending budgets, the F-Secure researchers said. “It wouldn’t be a bad idea for sites such as Monster to introduce two factor authentication beyond mere security questions.”
The authors of the Gameover Trojan program have been particularly active recently. In early February researchers from security firm Malcovery Security reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. Later that month researchers from Sophos detected a Gameover variant with a kernel-level rootkit component that protected its files and processes, making it harder to remove.
Unlike most other Zeus spinoffs, Gameover is also using peer-to-peer technology for command-and-control instead of traditional hosted servers, which improves its resilience to takedown efforts by security researchers.
Will Chrome’s API Work?
March 25, 2014 by admin
Filed under Around The Net
Comments Off on Will Chrome’s API Work?
Google has targeted web browser settings hijacking in its latest update to Chrome for Windows.
On the Chromium blog, Google engineering director Erik Kay announced an extension settings API designed to ensure that users have notice and control over any settings changes made to their web browsers.
As a result, the only way extensions will be able to make changes to browser settings such as the default search engine and start page will be through this API.
Bargain hungry consumers are often unaware that freeware programs often bundle add-on programs for which developers receive payment but can create irritating, rather than malicious, changes to user settings.
Although there is usually consent sought at installation, quite often it is ignored or not understood, and the people who miss the warnings are generally the same ones who find it hard to change the settings back.
Kay said that the API is available in the Chromium developer channel, with a rollout to the stable channel set for May.
The Chromium stable channel has been updated to version 33.0.1750.149. The main change is an update to the embedded Flash Player for Windows, which is now version 12.0.0.77.
There are seven new security fixes, most of which were user submitted via the open source Fast Memory Detector Address Sanitizer.
Although the user community and Chrome team continue to proactively protect the Chromium project, third party extensions can still cause problems, with several already having been removed from the Chrome Store this year.
Target Makes Information Security Changes
Comments Off on Target Makes Information Security Changes
Target Corp announced an overhaul of its information security processes and the departure of its chief information officer as the retailer tries to re-gain customers and investors after a massive data breach late last year.
CIO Beth Jacob is the first high-level executive to leave the company following the breach, which led to the theft of about 40 million credit and debit card records and 70 million other records of customer details.
Jacob, who comes from a sales background and has been CIO since 2008, will be replaced by an external hire, according to sources at Target.
“It’s a decision that should have been made by the CEO on January 1, not through the resignation of an employee that overlooked critical weakness in the operating model,” Belus Capital Advisors CEO Brian Sozzi said.
The breach at Target was the second largest at a U.S. retailer, after the theft of more than 90 million credit cards over about 18 months was uncovered in 2007 at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains.
Hacking has become a major concern for retailers in the United States. In the latest reported breach, beauty products retailer and distributor Sally Beauty Holdings Inc said on Wednesday its network had been hacked but no card or customer data appeared to have been stolen.
Target Chief Executive Gregg Steinhafel said the company would elevate the role of chief information security officer as part of its plan to tighten its security.
The company will also look externally to fill that position as well as the new position of chief compliance officer.
Steinhafel said Target would be advised by security consultant Promontory Financial Group as it evaluates its technology, structure, processes and talent.
“I believe this is definitely a measure in restoring faith and really showing that they are taking the breach seriously,” Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, told Reuters.
Target, the third-largest U.S. retailer, said last week customer traffic had started to improve this year after falling significantly toward the end of the holiday shopping season when news of the cyber attack spooked shoppers.