STE WILLIAMS

While store managers and salespeople gear up for long lines, social engineering, and point-of-sale malware on Black Friday, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.

The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app — or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money — like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data — are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.

As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in advice to members about holiday “hacking season”: “Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.”

[Read about PoS malware and new ways to trick new payment technology in “Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too.”]

Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers’ priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.

“On a big shopping day,” he says, “it’s harder to zero in on fraudulent behavior and respond to it quickly.”

According to the R-CISC: “Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it’s impractical to block IP ranges based on geography, because online sales can be global.”

Much of the fraud committed during the holiday season won’t be dealt with until January 15, says Munshani.

Plus, Munshani says that attackers will steal “anything that can be monetized,” which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where they’re being shipped.

“Visibility into the supply chain can provide a competitive advantage,” says Munshani. “If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat.”

How are attackers likely to compromise retailers online this season?

 Via vulnerable web apps

“[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong,” says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released a new report on retail security this week.

Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 

“Some of these retailers are brick and mortar,” Yampolskiy says. “Doing good IT is not part of their core competence.” That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.

SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells — food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dick’s Sporting Goods, Brookshire’s (grocery store), Quizno’s (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 

Via mobile devices

More and more consumers are doing their shopping from mobile devices. Adobe, in its Digital Index Online Shopping Predictions, predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.

The good news, according to Iovation VP of Product Scott Olson: “We still see fraud rates a little lower on mobile, because it’s harder to automate on mobile.”

Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  

Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.

Via online auctions 

There’s also “triangulation fraud,” which Olson says is “a very clever way to monetize stolen cards.”

A triangulation fraudster sets up an online auction for an item they don’t actually possess — say, a high-end camera. When the auction ends, the attacker uses a stolen payment card to purchase that same camera from a store and has it shipped to the winning bidder.

The bidder gets their purchase. The attacker pockets the bidder’s payment. (It doesn’t matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone else’s money. Their net gain is still $100.)

The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.

Via gift cards

Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.

Retailers can’t do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.

“CashStar does seem to be pretty good at reducing fraud,” says Alex Heid, chief of research at SecurityScorecard. “Chatter on the underground seems to confirm it,” he says, referencing frustrations voiced on hacker forums.

Better defense

Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the “friction” that makes impatient consumers decide to take their business elsewhere.

He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/cyber-monday-what-retailers-and-shoppers-should-watch-for/d/d-id/1323303?_mc=RSS_DR_EDT

Dell customers are scrambling today to deal with a root certificate debacle that some security experts are likening to the Lenovo Superfish issue that emerged earlier this year. Brought to light in a reddit post over the weekend, the issue is with a root Certificate Authority (CA) certificate called eDellRoot that includes a private key and has been installed on new Dell computers and those updated by Dell software.

“It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug,” wrote Rob Graham, owner of Errata Security. “Dell needs to panic. Dell’s corporate customers need to panic.” 

According to the researchers with Duo Labs, the fact that eDellRoot is being shipped with an associated private key that is identical in all models is an epic fail. This information makes it trivial to impersonate websites, whether it be online banking sites, shopping sites, or Google.

“If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s wi-fi network could potentially sniff all of their web browsing traffic, including sensitive data like bank passwords (or) emails,” wrote Duo Labs researchers Darren Kemp, Mikhail Davidov and Kyle Lady. “The attacker could also manipulate the user’s traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates – and make it all appear to be signed by a trusted developer.” 

According to Graham, if he were an attacker, he’d be out at the nearest big city airport by the international first class lounges and eavesdropping on encrypted communications in hopes of finding vulnerable Dell users. 

“I suggest ‘international first class,’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” Grahm says.

For its part, Dell acknowledged the issue yesterday and posted instructions on how to remove the certificate from its machines. As of today, Dell software updates will remove the certificate, the company says. Dell also says that unlike with Lenovo, the root certificate was not used to insert adware on customer machines. 

“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers,” Dell said in a statement. “This certificate is not being used to collect personal customer information.”

This really doesn’t matter to the security community, though. While the fact that Superfish was meant to power adware made things worse, Graham says that the big problem was a root cert shipping with private keys.

“In this respect, Dell’s error is exactly as bad as the Superfish error,” he says.

According to Andrew Lewman, vice president of data development at Norse, enterprises should automatically be reinstalling operating systems rather than trusting default factory installs. Nevertheless, they should take extra precautions.

“As for protection, all enterprises should block the Dell certificate authority both on the network and on their devices. Uninstalling the certificate authority from laptops and desktops should be a matter of a policy update.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/dell-hands-hackers-keys-to-customer-systems/d/d-id/1323297?_mc=RSS_DR_EDT

Just in time for the holidays, researchers at iSIGHT Partners are warning retailers about ModPOS — malware in their point-of-sale systems that is nearly impossible to detect, can do a whole lot more than just scrape customers’ credit card data, and has already successfully breached U.S. retailers.

“This is by far the most sophisticated PoS malware I’ve ever seen,” says Maria Noboa, senior threat analyst at iSight.

BlackPOS was behind the monster breach at Target, BackOff hit UPS and over a thousand others, and now new PoS malware like CherryPicker and AbaddonPOS have hit the scene. Yet, none of them have the same level of complexity and committment to stealth that ModPOS does.

“It took us two to three weeks just to determine it was malicious,” says Noboa. It then took researchers several more weeks to pick ModPOS apart and figure out how it works. In comparison, it only took them about 20 minutes to reverse engineer CherryPicker, says Noboa.

[PoS malware proves that Cyber Monday isn’t the only thing retailers and shoppers have to worry about over the holidays. Read “Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats Too.”]

ModPOS is modular. In addition to the PoS card scraper module, it also has a keylogger, an uploader/downloader (with which it could add other pieces), and plug-ins for scraping credentials, and gathering local system and network information.

So, explains Noboa, if it compromises the point-of-sale system and finds that the retailer has wisely encrypted all of the cardholder data or stored it elsewhere, ModPOS can still find ways to make its attack fruitful for them and damaging to the target.

The code was written by someone with exceptional skill, says Noboa. “The shell code they use,” she says, “are effectively full programs.” They found one piece of shell code contained over 600 functions.

The malware is able to stay persistent and obfuscated because every one of those modules operates in kernel mode, so, “each one is a rootkit,” says Noboa.

It’s also difficult to detect because all hashes are unique to the victim system. So the researchers can’t just hand out a list of hashes along with indicators of compromise, because it wouldn’t do anybody any good.

The researchers have not found any evidence of anyone selling ModPOS or even discussing it on underground forums. 

“All of this points to [the malware] being a profit center for someone,” says Noboa. They’re making their money from use of the malware, not sale of it, and they’re not interested in sharing.

All of this has helped ModPOS be quietly lucrative. iSight researchers believe the ModPOS attacks began as early as 2013, and have since stolen millions of credit and debit cards from unnamed U.S. retailers.

They don’t know yet how it’s being distributed right now or have a fix on the threat actor. They do say there are indications that point to Eastern Europe.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/stealthy-modpos-is-most-sophisticated-pos-malware-ever-/d/d-id/1323294?_mc=RSS_DR_EDT

Pearson VUE has disclosed that intruders infected its certification credential manager system with malware. The system supports certification tracking programs for Cisco, F5 and other technology companies.

In the wake of the security breach, Pearson VUE has taken the system offline as works with law enforcement to investigate the incident. The system appears to have been down for at least a week. Cisco said its certification tracking system is down, but that testing for Cisco certifications is unaffected and continues.

In a blog post Monday, Chris Jacobs, director of certifications and lab delivery technical services at Cisco, described the Pearson Credential Manager System (PCM) as “an important part of Cisco’s certification ecosystem” that enables users to manage and track their CCIE, CCNA, CCNP and other Cisco certifications.

Read the full article here on Network Computing.

Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years. She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cisco-cert-tracker-offline-after-pearson-vue-breach/d/d-id/1323300?_mc=RSS_DR_EDT

It’s apparently not just zero-day vulnerabilities that organizations need to worry about these days, but also zero detection malware threats.

For the second time in recent weeks, a security vendor has issued a warning about a malware tool that appears to have evaded detection for multiple years while stealthily going about targeting victims.

The malware, called GlassRAT, appears to have been released back in 2012. The limited telemetry and anecdotal reports that are available on it indicate that GlassRAT has been used to target Chinese nationals at large multinational companies, RSA Research said in an alert released this week.

The “zero detection” malware, which is signed with a digital certificate apparently misappropriated from a Chinese software developer, is “transparent” to most antivirus tools, RSA researchers said in the report. It is detectable only via network forensics and specialized tools that are capable of detecting suspicious activity on endpoint systems, they said.

“GlassRAT appears to have operated, stealthily, for nearly 3 years in some environments,” the paper noted.

The RSA researchers described GlassRAT, as a well-designed remote access trojan that is being used in a highly targeted manner. The dropper used to deliver the payload is digitally signed and deletes itself from the system after its task is complete.  Once installed, the malicious file itself remains below the radar of endpoint anti-malware tools.

The malware provides reverse shell functionality on an infected system allowing the threat actors behind GlassRAT to directly connect to it from a remote location. The malware is designed to steal data, transfer files and relay system information to the attackers.

 “What makes GlassRAT notable is not what it is, but perhaps rather where it came from, who is using it, and for what purpose,” the researchers said.

Available information on GlassRAT suggests that it is connected to, or at least has used the same command and control infrastructure that other malware campaigns in the past have used to target organizations of strategic and geopolitical significance, the RSA researchers said.

Two domains associated with GlassRAT for instance, were previously associated with the Mirage and PlugX campaigns that targeted military and government organizations in Mongolia and the Philippines. The overlap window is fairly small suggesting that the threat actors behind GlassRAT may have made an operational slip in using the same infrastructure.

The threat represented by malware like GlassRAT should not be underestimated because there may be many more undetected or non-detectable samples like it in the world, the researchers said. “ It is also crucially important to recognize the potential origins of these attacks, when detected, to better understand risks to the organization.”

GlassRAT marks the second time this month when a security vendor has warned about a malware threat that remained undetected for a lengthy period. Earlier this month, Trustwave issued an alert on Cherry Picker, a point of sale malware tool that like GlassRAT remained below the radar for more than four years before being discovered.

Trustwave pointed to Cherry Picker’s use of encryption, modified configuration files and sophisticated obfuscation techniques as reasons why the malware remained undetected for so long. According to researchers at the company, no malware they have encountered goes quite as far as Cherry Picker does in cleaning up after itself after infecting a system.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/rsa-warns-of-zero-detection-trojan-/d/d-id/1323308?_mc=RSS_DR_EDT