Did Sears Suffer A Data Breach?

Sears Holdings Corp acknowledged it has launched an investigation to determine whether it was the victim of a security breach, following Target Corp’s revelation at the end of last year that it had suffered an unprecedented cyber attack.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears spokesman Howard Riefs said in a statement on Friday.

“We have found no information based on our review of our systems to date indicating a breach,” he added.

He did not say when the operator of Sears department stores and Kmart discount stores had begun the investigation or provide other information about the probe.

Sears Holdings Corp operates nearly 2,500 retail stores in the United States and Canada.

Bloomberg News reported on Friday that the U.S. Secret Service was investigating a possible secret breach at Sears, citing a person familiar with the investigation. The report did not identify that source by name.

The Bloomberg report said that its source did not disclose details about the scope or timing of the suspected breach.

A spokesman for the U.S. Secret Service declined comment when Reuters asked if the agency was investigating a possible breach at Sears.

The Secret Service is leading the U.S. government’s investigation into last year’s attack on Target, which the company has said led to the theft of some 40 million payment card numbers as well as another 70 million pieces of personal data.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

SalesForce Goes Hacking

Salesforce.com really wants to attract lots of developers to its Dreamforce conference next month in San Francisco. As in, really.

Last Friday, the cloud software vendor announced a “hackathon” would be held at the conference, with US$1 million going to the developer or team who creates the top prize-winning mobile application with Salesforce.com technology.

“It’s not going to be easy — $1 million is going to bring out the best of the best,” Salesforce.com said in Friday’s announcement. “So don’t wait until Dreamforce! You’re going to want to get started now. With Force.com, Heroku, ExactTarget Fuel, Mobile Services and more — you’ve got a killer array of platform technology to use.”

Salesforce.com will also be providing some “pretty amazing new technology” for use at the show, the announcement adds.

In order to participate, developers have to either register for a full conference pass or a special $99 hacker pass.

The hackathon reflects Salesforce.com’s long courtship of developers to its development technologies, its AppExchange marketplace and recent efforts to build out more tooling for mobile application development.

Developers taking part in the hackathon will have plenty of competition, with some 20,000 programmers expected to attend Dreamforce overall. A “Hack Central” area will be open around the clock, supporting coders who want to work until the wee hours on their application.

In order to qualify, an application can’t have been previously released. The entries will be judged on four criteria counting 25 percent each: innovation, business value, user experience and use of Salesforce.com’s platform.

The second-place finisher will receive $50,000, with $25,000 going to the third-place winner. Fourth and fifth place will get $10,000 and $5,000, respectively.

Some 120,000 people are expected to register for Dreamforce this year. While some of that total will be watching online rather than in person, Dreamforce is now operating at a scale rivaling Oracle’s OpenWorld event, which happened last month.

Source

Huawei Investigating Security Flaws

Huawei Technologies said on Thursday it was investigating claims that its routers contained critical vulnerabilities, after security researchers disclosed alleged problems last.

“We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims,” Huawei said in an email. The company added it uses “rigorous security strategies and policies” to protect the networks of its customers, while following industry standards and best practices concerning security.

“Huawei has established a robust response system to address product security gaps and vulnerabilities,” the company said. The company is also calling on industry to promptly report all product security risks so that the problems can be addressed and fixed, it said in its email.

The alleged security vulnerabilities were disclosed at the Defcon hackers conference this past Sunday by two security researchers. The vulnerabilities were found in the firmware of Huawei AR18 and AR29 series routers, which once exploited through the flaws, could be taken over via the Internet.

One of the researchers, Felix Lindner the head of security firm Recurity Labs, described the security of the Huawei devices he analyzed as “the worst ever”, and said there were bound to be more security flaws with the products.

Source…

More Citigroup Accounts Compromised Than Stated

Citigroup was apparently hit harder by a cyber-attack in May than what was originally reported; which is now 360,000 of its customers. Unfortunately, this number is double the number that Citigroup initially stated.

Citigroup is one of the biggest banks in the US and ranks number 3 overall. The breach occurred on May 10^th and was confirmed by Citigroup on June 8th^th. That said, around 360,080 North American Citigroup credit card accounts were impacted by the breach, Citigroup stated; which is around 1 per cent of their North American card customer’s base.

Read More….

« Previous Page