STE WILLIAMS

In the week of Black Friday, one of the busiest days of the shopping year, online retailing giant Amazon has reportedly begun forcibly resetting some users’ passwords over concerns about a password breach.

Some users received an email saying that their passwords had been reset, while others were notified through the site’s account message center, according to ZDNet. The email claimed that the company had “recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party”.

The messages said that there was “no reason” to believe passwords had been disclosed to a third party, but the action was precautionary.

Other than what has been reported, there is little information on why Amazon has performed the reset and issued a warning to users. Speaking to Naked Security, Amazon’s press office said that there was no more information on the issue at the time of writing. If that changes, we will update this article.

Even if you haven’t received an alert from Amazon, out of an abundance of caution it’s worth considering resetting your password there and any other account where you’ve used the same password (but you wouldn’t do that would you?).

Remember the rule: one site, one password, and make sure you always pick a proper, secure one.

We reported last year that the average person has 19 passwords – and a third struggle to remember the stronger passwords. If you find it hard to remember them all, consider using a password manager to keep all your secure passwords in one place.

It always pays to be cautious about phishing messages and there is the chance that attackers may pounce on this opportunity to get Amazon users to click on rogue email links. So make sure you don’t click on any unexpected emails – far better to go straight to the Amazon site and change your password there.

The breach reports follow news last week that Amazon is enabling two-step verification, allowing users to log in via a one-time password sent to their phone, or by using an authenticator app.

This is a positive move by Amazon, and sees it follow other online retailers such as Apple, eBay and Facebook in offering this extra layer of security.

However, according to twofactorauth.org, many online retailers and other websites have a distinct lack of two-factor offerings.

If the sites you use offer any form of two-factor authentication, make sure you turn it on. It makes it a lot harder for any potential crook to get into your account, because they need a second level of authentication (such as a text message or app on your phone) as well as your login credentials.

Follow @DanRaywood

Follow @NakedSecurity

Image of Amazon boxes courtesy of Joe Ravi / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H2I22DZW8P8/

Hilton Worldwide has confirmed that malware found its way onto point-of-sale systems that targeted payment card information.

Targeted data included cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not exposed, Hilton concluded, after an investigation that brought in third-party forensics experts, law enforcement and payment card companies.

Hilton omits to say how many or which hotel locations may have been affected by the breach, but is telling customers to review their payment card statements – particularly if they used their cards at a Hilton Worldwide hotel between specified dates (8 November – 5 December 2014 or 21 April – 27 July 2015). The hotel chain is also keeping quiet about the number of people or credit card records exposed at a result of the breach.

In its statement, Hilton sought to assure guests that the malware had been purged and the security of its systems strengthened in the wake of the attack.

Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems. Hilton immediately launched an investigation and has further strengthened its systems.

Confirmation of the breach on Tuesday doesn’t come as a surprise since it comes weeks after reports in September that the hotel chain had suffered a hack attack. Again the number of records exposed was left unclear.

The breach follows a succession of attacks on other hotel chains, including Starwood and Trump Hotels over recent months.

Ryan Wilk, director at fraud prevention firm NuData Security, commented: “This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.

“While we can’t know for sure what [the] hackers’ long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the dark web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation,” he added.

Kevin Watson, chief exec at Netsurion, a provider of remotely managed security for multi-location businesses, added: “It’s especially important during the holiday season for merchants, retailers, hotels and hospitality businesses that process payment data to understand that they are lucrative targets. Therefore, it’s essential to take the necessary steps to protect customer data and ensure that stronger security measures are in place for their networks, payment systems and on-premise Wi-Fi services. Making those areas a priority now will allow them to focus on the core business,” he added. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/hilton_credit_card_breach_confirmed/

Contrary to password storage security standards, BT-owned Plusnet is still delivering plaintext strings back to forgetful users, and seems to have no plans to tidy itself up any time soon – despite years of warnings from security experts and the advice of GCHQ.

Plusnet has stated that it “goes to great lengths to ensure we protect and secure our customer data”, however plaintext passwords are still viewable by support staff and users.

The issue at the company has been recorded since 2013, though may have been in effect long before that date, as noted in the Plain Text Offenders tumblr.

Omer van Kloeten, one of the privacy enthusiasts behind the name-and-shame blog, told The Register: “The passwords users provide sites are the sole and secret property of the users.”

“No one apart from the user should ever know what their password is,” said Van Kloeten, noting that if the user used a password manager “as they should,” even they wouldn’t know it.

Moreover, we all use the same password for multiple accounts. What if someone – a hacker or even a malicious Plusnet employee – were to try and use this password for other accounts, on other sites?

This behavior exposes users to innumerable risks. Plusnet is painting a very big target on their own backs.

“Passwords are encrypted in our database,” the telco claimed to The Register. “We do not show customers their passwords in an email in plain text and anyone who has forgotten their password must go through a combination of security mechanisms to regain access.”

The value of these security mechanisms are quite contestable, however, as is the value of denying the appearance of the plaintext password in emails; the issue is rather that a link in the email directs users to a webpage where the plaintext password is presented.

Terrifying @plusnet pic.twitter.com/1OiePaKDMK

— .cow (@shoutsatcows) April 20, 2015

Plusnet customer James Holt told The Register: “When I needed to get into my Plusnet Member Centre account last week I was pretty surprised that Plusnet so readily presented me with my account password on a web page simply by entering my Plusnet username on the Forgotten Your Password? page and then clicking the link in the email they sent me. Boom – there it was staring right back at me under the heading ‘Here you go, this is your password’.”

Holt said “just to make sure I cleared the Safari cache on my phone, disabled wifi and did the whole thing again just in case Plusnet was doing some kind of identification from my broadband IP, but the exact same thing happened again.”

The issue seems to have been consistently present between 2013 and now, as several tweets have referenced it too.

Oh my lord @plusnet, WTF ARE YOU DOING?!?! (cc @troyhunt) #infosec pic.twitter.com/ebGpLGf5iz

— Mark Hemmings (@mhemmings) June 17, 2014

“I’ve never come across a website that behaves in this way before.” said Holt. “Clearly they are not using one-way hashing of passwords.

Asked to clarify whether Plusnet encrypted passwords using a one-way hash function, The Register was told “We have already issued a statement with regards to your queries and have nothing further to add.”

Recent password guidance (pdf) published by CESG, the information assurance arm of GCHQ, recommended that companies do not store information as Plusnet seems to be doing.

A GCHQ spokesperson told The Register that “The CESG Password Guidance recommends that password files should be hashed and salted. If this process is followed correctly, it will not be possible to reconstruct the plaintext password.”

Security expert Kenn White said that “When a web site is able to ‘remind’ you of your password by emailing it back, that’s a symptom of very poor security practices. We know from years of cleaning up and analyzing breach incidents that people routinely reuse passwords across sites. And so even if someone has seen the light and uses strong passwords moving forward, they may have scores of old logins long since forgotten that might come back to haunt them when they leak.”

“Quite simply,” he added “a company puts your private information and financial data at risk when it stores customer credentials in databases as unencrypted plaintext. So when an organization says “We care about your privacy and security” but they operate like this, they really don’t. And the booming business in post-hack identity monitoring services confirms that.”

“Matthew Green, a cryptography expert at John Hopkins University, told ​The Register​: “If they’re using a proper password hash function, there should be no way for the company to retrieve the plaintext hash of a password. End of story. Encrypting passwords in their database sounds good, but in practice it doesn’t mean that the data is actually protected — since obviously the system has to be able to recover the unencrypted password to send it to users. If an attacker can compromise the server, they may be able to read out plaintext passwords.”

He added: “In general, my intuition is that this company is not following best practices and is probably putting their users’ credentials at risk.”

When The Register contacted Plusnet again with these concerns, the company refused to answer whether it was reviewing its password storage practices and again stated it would not deviate from its initial statement.

White recommends that “for critical accounts like online banking and web mail (which is the de facto center of your online identity), I strongly recommend using a password manager, and if identity theft is a serious concern, look into the feasibility of a formal credit freeze.” ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/plusnet_still_delivering_passwords_plaintext/

If the iconic 1955 movie Rebel Without a Cause was remade today, would James Dean be a computer hacker?

Teenage rebellion against authority is nothing new, but now it’s targeting faceless entities such as telecommunication firms in the recent TalkTalk breach.

Recent history shows that young cyber attackers are not a new phenomenon. The most high-profile cases that involved teenagers were probably the actions of the LulzSec hacker group. They claimed responsibility for several, mostly denial-of-service attacks against high-profile targets such as the US Senate, Sony Pictures, News Corporation, and the CIA. The group triggered an international investigation and was brought down during the second half of 2011. At least two members of the group, Ryan Cleary and Jake Davis, were identified as being under the age of 20 at that time.

A more current story is the hack of the AOL account of the CIA director John Brennan. The attacker then contacted The New York Post to describe his or her actions that involved acting as a Verizon worker to trick other employees into revealing personal information about Brennan and then using that information to ask for a password reset. The attacker got access to documents that Brennan forwarded to a personal account, some containing sensitive information. While claiming to be an American high school student, the FBI has just started their investigation, so the attacker’s true identity, including his or her age, hasn’t been verified yet.

Our own company organized a global hacking competition at this year’s Black Hat USA conference, the eCSI Hacker Playground. It wasn’t too surprising that a high number of the best players were in their early 20s.

In the post-Snowden era, we are all attuned to how legislation such as the controversial Stop Online Piracy Act (SOPA) or various “eavesdropping” laws such as the Electronic Communications Privacy Act (ECPA) heavily affect our increasingly digital lives. This applies especially to the millennial generation who conduct the majority of their social lives online. For them, these laws are not about abstract ideas such as the right to privacy or freedom of speech: it’s about taking away their possibilities to communicate with their friends in private or at all.

Very often the success of these rulings depends on how data carriers and service providers relate to such governmental requests; a company that’s compliant with the authorities and does not even try to protect the privacy of its users can expect vocal, and maybe active, opposition from them. 

Tools do get easier all the time, but easy-to-use software packages that can get through sloppy defenses through well-known vulnerabilities of unpatched systems have been around for a long time. The term “script kiddie,” describing someone, presumed to be quite young, who can merely use such ready-to-use attack tools or “scripts” but lacking the advanced skills required to find vulnerabilities themselves, started to gain widespread adoption in the early 2000s.

There are toolkits that are designed to make the job of penetration testers easier but also present opportunity for attackers with a relatively limited set of skills, such as the Metasploit Framework or various security-oriented Linux distributions, and these have a track record running back at least 10 years or more.

In the year 2010, multiple distributed denial-of-service (DDoS) attacks were organized by the members of the 4chan message board using a simple tool called Low Orbit Ion Cannon against the Church of Scientology and organizations opposing WikiLeaks, and participating in that attack was as simple as downloading and starting an application.

On the other hand, just the fact that the alleged TalkTalk attacker is 15 does not necessarily mean that one needs trivial-to-use tools to achieve their goals. The history of computer science is full with young contributors. One example of that is the technologist, entrepreneur, and hacktivist Aaron Swartz, whose life and tragic death was documented in the critically acclaimed 2014 documentary “The Internet’s Own Boy.” Swartz became the member of a tech group working on some of the most important new Internet communication standards at the age of 14 and along with the legal academic (and presidential candidate) Lawrence Lessig, is counted as one of the original architects of the Creative Commons organization.

Some 15-year-olds are using their talent to hack into corporate networks for fun, profit or to make a point, and as an industry we can make an impact to discourage the pursuit of criminal activity. By sponsoring events such as our hackathon we hope to inspire today’s young security experts to use these talents to create something great for the future. 

Péter Gyöngyösi is product manager of Blindspotter with Balabit. A graduate of Budapest University of Technology and Economics, he has been creating security products for over 10 years and is a frequent speaker at industry events. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/the-youthful-side-of-hacking-/a/d-id/1323321?_mc=RSS_DR_EDT

Amazon.com appears to be asking some of its customers to reset passwords after a breach of some sort.

The online bazaar apparently sent cryptic emails to some of its account holders warning them that their passwords were blabbed in some way, and therefore have to be changed.

“We recently discovered that your password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party. We have corrected the issue to prevent this exposure,” Amazon is reported to have told customers.

Amazon says it has no evidence that the passwords were abused, and had reset the credentials out of an “abundance of caution.”

The web goliath has not yet confirmed the reset to any media, including El Reg, although ZDNet said it scored copies of the emails. If you’ve received any related messages, let us know, please.

Let’s not rush to judgement here: Amazon has oodles of partners and it could well be that the passwords were transmitted in clear text from a third party application or service, a suggestion we make given the seemingly small number of resets. Bezos’ book barn may not have been compromised in any way. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/amazon_password_reset/

Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals.

The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting the functionality of magnetic stripe data.

It means criminals could use the tiny gadget to keep pillaging cash after cards have been cancelled at businesses that do not require the three or four -digit CVV numbers on the back of cards.

American Express has been notified and says it is working on a fix.

“Magspoof is a device that can spoof any mag stripe or credit card entirely wirelessly, can disable chip and PIN (EMV) protection, switch between different credit cards, and accurately predict the card number and expiration on American Express credit cards,” Kamkar says.

“You can put it up to any traditional point of sales system and it will believe that a card is being swiped.

“I pulled up the numbers for several other AMEX cards I had and compared to more than 20 others and found a global pattern that allows me to accuracy predict replacement numbers” and expiration dates.

A .GIF of the device in action is yours for the viewing here.

The wireless function works by emitting a strong “electromagnetic field” that emulates that produced when physically swiping a card.

Interested criminals researchers can download the necessary code and follow instructions to build the device, but it will be somewhat neutered because Kamkar has removed the ability to deactivate EMV and has not released the AMEX prediction algorithm.

It will still emulate cards and help researchers better tinker in the field.

Kamkar says hackers can build their own versions of Samsung MST or Coin with additional features that the two popular applications lack.

They will require no more than a micro-controller, motor-driver, wire, a resistor, switch, LED, and a battery. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/kamkar_credit_card/

Microsoft withdrew downloads for its latest official edition of Windows 10, version 1511, after it meddled with people’s privacy settings.

Earlier we reported how Redmond disappeared the update, which could be fetched via the official media creation tool (MCT). The download became available in mid-November after Microsoft announced it as a major upgrade for Windows 10.

MCT is aimed at IT professionals and enthusiasts juggling many PCs: rather than have each computer upgrade to the latest build of Windows 10 via gigabytes of Windows Update downloads, you can instead download and create a single .ISO image of the operating system via MCT, write the image to a DVD or USB stick, and install the software on as many machines as you’re licensed to.

So if you wanted to bring a bunch of Windows 8 machines up to the latest Windows 10, you’d pop into each of them a DVD or USB stick built from the latest MCT download, and save yourself a lot of time and bandwidth.

So when the November MCT download vanished over the weekend, it was a pain in the ASCII for people – it forced folks to install the July launch edition and then apply loads of patches from Windows Update across the board. (If you’ve already got a single Windows 10 computer and are upgrading via Windows Update, none of this really affects you; you’ll get version 1511 soon, if not already, automatically.)

Now Microsoft’s finally come clean on why it yanked the self-contained download of Windows 10 version 1511.

According to Redmond on Tuesday, “when the November update was installed, a few settings preferences may have inadvertently not been retained for advertising ID, Background apps, SmartScreen Filter, and Sync with devices.”

Fair play to Microsoft for shedding light on the blunder. Basically, its operating system allowed apps to access people’s unique advertising ID numbers; the SmartScreen Filter that sends executables to Microsoft servers to analyze was enabled; software was allowed to run in the background; and settings and passwords would be backed up the cloud. If you previously disabled any of those, they would be reenabled by the MCT-derived upgrade over a previous Windows 10 install.

So in effect, installing version 1511 of Windows 10 via the MCT on Windows 10 machines overwrote the user’s privacy settings.

“Recently we learned of an issue that could have impacted an extremely small number of people who had already installed Windows 10 and applied the November update,” a spokesperson told The Register on Tuesday.

“Once these customers installed the November update, a few of their settings preferences may have inadvertently not been retained. For these customers, we will restore their settings over the coming days and we apologize for the inconvenience. We worked to resolve the issue as quickly as possible – it will not impact future installs of the November update, which is available today.”

Indeed, this update is supposed to correct the overwritten settings. Microsoft has come under fire for its odd approach to privacy in Windows 10, but at least in this case it acted fast fixing the cockup.

The November update, version 1511 aka build 10586, is now available again via MCT for people with machines to manage. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/windows_10_download_explained/

Cops probing the TalkTalk mega-hack arrested a teen in south Wales on Tuesday.

The 18-year-old is the fifth suspect to be cuffed in connection with the computer security breach at the UK ISP.

Detectives from the Metropolitan Police Service’s Cyber Crime Unit and officers from Southern Wales Regional Organised Crime Unit, armed with a warrant, detained the young bloke while searching a home in the town of Llanelli.

The lad was held on suspicion of blackmail, and was taken to Dyfed Powys police station where he was quizzed by investigators.

At the end of October, TalkTalk admitted it was hacked, and that sensitive information on thousands of subscribers was swiped from its databases.

Since then, there have been a string of arrests: on Monday, 26 October, a 15-year-old boy from County Antrim, Northern Ireland, was cuffed. On Thursday, 29 October, a 16-year-old boy was arrested in Feltham, west London. On Saturday, 31 October, detectives booked a 20-year-old man in Staffordshire, and on Tuesday, 3 November, a 16-year-old boy was collared in Norwich.

All four were held on suspicion of Computer Misuse Act offenses, and all four have been bailed while the investigation continues. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/talktalk_fifth_arrest/

Analysis Dell ships Windows computers with software that lets websites slurp up the machine’s exact specifications, warranty status, and other details without the user knowing.

This information can be used to build a fingerprint that potentially identifies a person while she browses across the web. It can be abused by phishers and scammers, who can quote the information to trick victims into thinking they’re talking to a legit Dell employee. And, well, it’s just plain rude.

A website created by a bloke called Slipstream – previously in these pages for exposing security holes in UK school IT software – shows exactly how it can work.

This proof-of-concept code exploits a weakness in the design of Dell’s support software to access the computer’s seven-character service tag – an identifier that Dell’s support website uses to look up information on the machine, including the model number, installed components, and warranty data.

Visit Slip’s page above to see it in action – assuming you have a Dell running Dell Foundation Services. Be warned, though, it does play some fun chiptune music, so mute your speakers if you’re still at work.

Slipstream says his website does not exploit the eDellRoot root CA certificate that turned up in new models of Dell laptops and PCs – but the Dell Foundation Services software that uses the dodgy cert.

As documented by Duo Security, Dell Foundation Services starts up a web server on TCP port 7779 that accepts requests for the service tag.

All a website has to do is, in JavaScript, request this URL:

http://localhost:7779/Dell%20Foundation%20Services/eDell/IeDellCapabilitiesApi/REST/ServiceTag

and the foundation services returns exactly that – the service tag. No authentication required. This serial code can then be fed into Dell’s support site to look up information about the machine.

The Register has tested the proof-of-concept site and verified that it does indeed pull up the service code on an Inspiron 15 series laptop bought in July. Slipstream also confirmed to The Reg that his script works even when the vulnerable root CA cert is removed by Dell’s prescribed methods.

Aside from the possibility that a scammer could use the support number to gain user trust for a phony tech support call or other security con job, the proof-of-concept demonstrates just how deeply a third party can probe into a user’s system by exploiting Dell’s now-notorious support tools.

Dell was thrust into the spotlight yesterday when researchers first broke word of eDellRoot, a rogue certificate authority quietly installed on Windows machines that can be exploited by man-in-the-middle attackers to decrypt people’s encrypted web traffic.

The Texas PC-slinger said the issue was merely a mishap related to its user support tools. Dell bristled at suggestions the flaw should be considered malware or adware, but nonetheless it has provided users with a removal tool.

The American biz has also pushed a software update that will automatically remove the vulnerable root CA cert from its machines. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/dell_backdoor_part_two/

The Tor project is asking its supporters to donate money to help the nonprofit continue to operate.

The project has kicked off a fundraising effort to further expand its online anonymity network and further back educational projects.

Users can donate one-time cash sums or set up a monthly recurring donation. In addition to Paypal-based online donations, the Tor Project said it will accept money via Dwolla, Bitcoin, and old-fashioned check, cash, money order, and bank transfer.

The campaign is part of an effort by Tor to expand its cashflow beyond the university grants and government handouts it had previously relied on. As a nonprofit, Tor opens its year-by-year financial records to the public.

To help further the campaign, Tor enlisted the help of Citizen Four director Laura Poitras, who credited Tor with helping her stay in contact with NSA whistleblower Edward Snowden.

“There are so many reasons … that we want to protect our privacy and not broadcast every move we make online,” Poitras said in her endorsement. “Tor is an essential tool that is needed by people to do what they do.”

According to Tor, its major backers in this year alone have included the US Department of State, Reddit, the National Science Foundation (via four separate US university donations), Radio Free Asia, and what the group only calls “an anonymous North American ISP.”

Tor also said that it has received some 4,300 individual donations this year as well.

Though the Tor Project has found itself at odds with the US government for criminal activity taking place on the network, Tor has its roots in the US Department of Defense, and DARPA was listed among its top donors from 2001 to 2006. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/tor_project_donations/