STE WILLIAMS

Gift cards are convenient, which is why they are so popular. If you can’t think of what to get for someone, they are an easy way to cover your bases without having to spend all night trying to think up the perfect thing. Unfortunately, they are also convenient for hackers.

Demonstrating just how easy became a project for Will Caput, a professional pen-tester, starting about two years ago. And that led to a presentation at Toorcon: San Diego this past weekend titled “Cash in the Aisles: How gift cards are easily exploited“.

In his summary, Caput noted that most people think gift cards “must be activated to have any monetary value”.

Not for anybody with some hacking skills, though, as he went on to say:

Weaker security features than the average credit card makes these gift cards nearly as valuable as cash. Mass produced, their numbers follow a predictable pattern and have limited built-in security, such as a chip or PIN, to prevent fraud.

Not that this is a new problem. Gift cards have been a target of an endless variety of scams pretty much since they came into being. In the past, thieves would “sniff” the magnetic strip on the back with a scanner and then clone it.

In 2013, a Subway franchise owner and a partner hacked into at least 13 Subway point-of-sale (PoS) systems and fraudulently added at least $40,000 to Subway gift cards. They also sold other fraudulent cards on eBay and Craigslist. Fortunately, they got caught.

There are ongoing social media scams that trick people into thinking they can get a free gift card from major retailers ranging from Amazon  to Walmart, Ikea, Starbucks, CostCo, Argos and more.

But Caput’s project showed that hackers with even basic skills can turn gift cards into cash before anybody activates them, and without needing to trick anybody. He told Wired, prior to his talk at Toorcon, that since it is easy to grab a stack of unactivated cards – vendors don’t mind since they let customers load them with value online – he discovered that most of the string of numbers on gift cards from multiple vendors are the same except for one that changes with every card, plus the last four digits, which appeared to be random.

By visiting the website that the vendor uses to check a card’s value, and then running the brute-force software Burp Intruder on the last four digits, it took him about 10 minutes to discover which cards had how much value.

With that information, a hacker can use the card on the vendor’s e-commerce page. Caput said he even wrote them to a blank, plastic card with a $120 magnetic-strip writing device available on Amazon, and said most retailers would accept the card – although he said he only asked for the balance and didn’t make purchases.

Caput said he notified retailers of the flaw, and some responded by improving their security in a variety of ways – by taking down the web pages that let users check their value online, requiring users to verify their cards’ values by phone or by adding CAPTCHAs to their web pages.

But he said other vendors, who he didn’t name, didn’t do much of anything or made changes that were easy for him to defeat. Even if a vendor demands a PIN, besides the number on the card, he said Burp Intruder could defeat that as easily as it did the last four numbers on the card.

Evidence supporting the credibility of his findings came in a report earlier this year, which found that the number of discussions about stolen gift cards had spiked on the dark web marketplace AlphaBay between November 2016 and this past July, when the FBI shut down AlphaBay. The report said hackers were able to steal the value of the cards using the same technique Caput had reported.

The recommended fixes aren’t complicated: use strong CAPTCHAs and use scratch-away coverings on the numbers. Most important, don’t leave the cards sitting on a counter for a hacker to grab and then return.

And for those looking for an easy gift that you don’t have to think about – it would be wise to think about the fact that somebody else might have drained the value of that card before your recipient even gets it.

Which would mean your gift would be worthless. Not a good way to cover your bases.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Syg9E8EPeWE/

Companies operating in the European Union must balance workplace surveillance with employees’ privacy rights, the European Court of Human Rights has ruled.

The decision reverses a 2016 ruling by a lower chamber of the court that found no privacy issue with workplace communication monitoring. It marks the first time Europe’s top human rights body has addressed the monitoring of electronic communication at a private company.

There’s also the Court of Justice of the European Union, the chief arbiter of EU law; the ECHR is a separate institution that oversees the application of the European Convention on Human Rights.

In August 2007, Bogdan Mihai Bărbulescu of Bucharest, Romania, was fired for personal use of Yahoo Messenger. He had created the account at the request of his employer, a company not named in court documents.

Bărbulescu challenged his termination in a Romanian court, insisting that his right to privacy, under Article 8 of the European Convention on Human Rights, had been violated. He claimed he had not been properly informed about communication monitoring.

Article 8, the “Right to respect for private and family life,” says: “Everyone has the right to respect for his private and family life, his home and his correspondence,” except as required by law, for public safety, national security, economic necessity, and upholding other rights.

The Bucharest County ruled against Bărbulescu in December 2007, finding that employers have the right to define internal rules for internet usage.

Bărbulescu appealed and lost again in 2008. That same year, he appealed to the ECHR.

The Chamber of the ECHR ruled against him in 2016.

Again, Bărbulescu appealed and on Tuesday he received satisfaction from the court’s Grand Chamber, the EU’s highest authority on human rights rules.

The ECHR found that Romanian courts failed to consider whether Bărbulescu had been adequately notified that his communication might be monitored and whether the employer’s objectives could have been accomplished with less intrusion.

In a phone interview with The Register, Pam Dixon, founder and executive director of the World Privacy Forum, said the case is incredibly significant for Europeans because it means employers cannot completely ban personal communication while on the job.

Dixon said Bărbulescu for years kept losing in court. “It was basically the US argument: We’ve given you notice, you have no right to privacy in the workplace,” she explained. “But under Article 8, the Grand Chamber judgement was that employers do not have the right to disallow private communication in the workplace.”

Dixon doubts the ruling will have much impact in the US, but she said it raises some questions for multinational companies that operate both in the US and EU. At the very least, she expects affected companies will have to draft new communications policies for employees. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/06/eu_rights_court_limits_workplace_surveillance/

US Senator Jeanne Shaheen (D-NH) simply can’t wait to banish Kaspersky Lab’s antivirus from American government computers on the grounds it’s a security risk.

Her plan is to amend the nation’s latest National Defense Authorization Act, which is legislation that has to be passed each year to green-light funding and policies for the US military. It’s also a handy vehicle for sneaking pet agendas into law, each piggybacking the proposed act: there are 341 amendments on the House version of the bill already, and eight on the Senate version.

In June, Shaheen successfully lobbied the Senate Armed Services Committee to back her call to ban Kaspersky’s code from Uncle Sam’s systems. The panel duly concluded its scrutiny of the funding bill with the following recommendation, among others:

A provision that would prohibit any component of the Department of Defense from using, whether directly or through work with or on behalf of another element of the United States Government, from using any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.

And thus the Senate version of the defense funding act was updated to include the following text to rid US federal government computers of Kaspersky’s security tools by October 2018:

SEC. 1630B. PROHIBITION ON USE OF SOFTWARE PLATFORMS DEVELOPED BY KASPERSKY LAB.

(a) Prohibition.—No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.

(b) Severance Of Network Connections.—The Secretary of Defense shall ensure that any network connection between a department, agency, organization, or other element of the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform described in subsection (a) is immediately severed.

(c) Effective Date.—This section shall take effect on October 1, 2018.

This text has yet to be voted on by the Senate as a whole, which is due to debate the wording in the next few weeks. The provisions also have to pass the House before a finalized law can be presented to President Donald Trump to sign off. The House version of the military funding act has yet to include sanctions specifically against Kaspersky, we note.

In the meantime, Shaheen is on the offensive, drumming up support for her ban via her website and a New York Times op-ed on Tuesday.

“To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software,” she explained.

“The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what I fear is already a huge breach of national security data.”

Shaheen claims Kaspersky software potentially gives Russian President Putin an “all-access pass” to the computers it is on and beams sensitive information back to Kremlin servers. Under Russian law, the software biz has a responsibility to aid its home country’s internal security agencies, she posited, and as such the code has no place on US computers.

The banishment was previously floated as a way of “countering Russian aggression,” and follows years of Kaspersky-bashing inside Congress and outside. Amid the Senate advisory committee’s deliberations, Eugene Kaspersky offered up the source code of his software for review – an offer no one in the US government has taken up.

Earlier, in May, five US spy bosses and the acting FBI chief were unanimous in saying they would not use Kaspersky software – although, like Senator Shaheen, they offered no evidence as to why. The following month the FBI raided the homes of some Kaspersky employees, but no arrests were made.

And in July the General Services Administration removed the biz from its list of government-approved purchases, severely limiting its further use. Senator Shaheen wants it banned outright.

“Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company,” the outfit told The Register.

“The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/06/banning_kaspersky_from_us_govt_computers/

University of California Santa Barbara researchers have turned up bootloader vulnerabilities across a bunch of Android chipsets from six vendors.

The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.

The tool turned up exploitable bugs in Huawei, Qualcomm, MediaTek, and NVIDIA bootloaders: six new bugs, plus CVE-2014-9798 which was already known but, it turned out, was still present in Qualcomm devices (since it was a known bug, 9798 also provided a handy reference to confirm that BootStomp was working as intended).

“Some of these vulnerabilities would allow an adversary with root privileges on the Android OS to execute arbitrary code as part of the bootloader”, the group writes in its paper.

“This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking).”

At the bottom of the problem: the bootloader’s chain of trust would ideally be the same for any chipset, but it’s not – Google’s left room for customisation to make life simpler for silicon vendors.

For example, in an ARM environment, chipset makers can put their own code into the process in any stage of the Trusted Boot process – and “no direction is given as to what code should be inserted at which points of the boot process”.

“Additionally, initialisation tasks cannot be too tightly coupled with the rest of the boot sequence, as peripheral hardware, such as modems, may incorporate code from different vendors and necessitate a modification of the initialisation process.”

The mobile GSM or LTE modem, for example, might be part of the system-on-a-chip (SoC) or a separate chip, and this dictates how the bootloader interacts with the chips and modem.

In other words, differences in smartphone design add decision points during boot, and could introduce vulnerabilities.

BootStomp architecture

In the Huawei bootloader, the researchers discovered a memory corruption vulnerability (exploitable to install a persistent rootkit); an arbitrary memory write (an attacker could run arbitrary code “as the bootloader itself”); and a way to root the device without user involvement.

Since a total of 38 possible bugs were discovered by BootStomp, it’s fair to say nobody fared much better. Huawei and NVIDIA are named in the report as confirming the reported vulnerabilities, and the authors say only one vulnerability was denied by the vendor. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/06/bootstomp_android_bootloader_attack/

Your daily round-up of some of the other stories in the news

Veterans and TWC users’ data spills from leaky buckets

It’s only two weeks since we last wrote about yet another organisation spilling data online thanks to a misconfigured Amazon S3 bucket – and it’s not a new problem – so it gives us no pleasure to report not one but two more data breaches apparently resulting from someone not securing their S3 database.

More than 4m Time Warner Cable customers in the US are the latest victims of a breach, with Kromtech reporting that some 600GB of data visible online, apparently thanks to TWC’s technology partner Broadsoft failing to secure a database.

Broadsoft told Gizmodo that it didn’t think the data exposed was “highly sensitive”, adding: “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

But it’s not just TWC customers whose data has been spilled online – the personal details of thousands of American military veterans have also been leaked thanks to another misconfigured S3 bucket, said Upguard, which discovered the unsecured bucket.

Upguard analyst Dan O’Sullivan said that – as with the TWC breach – the data was spilled thanks to a third-party partner, in this case a private security firm called TigerSwan, which hires former service personnel. O’Sullivan added: “The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles.”

Amazon has provided guidance on how to make sure your S3 buckets are secure, and we can’t say this often enough: if you have responsibility for a database that’s stored in the cloud, make sure that it’s not spilling sensitive information online.

Court rules on email privacy at work

A Romanian man who was fired 10 years ago for sending personal messages at work should not have lost his job, the European Court of Human Rights has ruled.

The ruling is the culmination of a process that began when Bogdan Barbulescu was sacked after sending personal messages to his brother and his fiancée via a Yahoo Messenger account he set up at work. His employer had used surveillance software to check up on him, and a Romanian court ruled in 2007 that the company had been within its rights to do so.

However, the ECHR has now ruled that the Romanian court had failed to protect his right to privacy and that his employer had not warned him that it monitored communications, nor the possibility that it might access his messages.

There was no suggestion that Barbulescu had put his employer at risk by using the account to communicate with his family, and the court said that there hadn’t been a sufficient assessment of whether the company had legitimate reasons to monitor his communications.

Pam Cowburn of the Open Rights Group in London said: “The European court’s ruling is welcome. In some workplaces it may be necessary for emails to be monitored, but if employers are going to do so, they should make staff explicitly aware of it.”

Chinese man jailed for selling VPNs to bypass Great Firewall

A man has been jailed for nine months for in China for selling VPNs that allowed users to bypass the “Great Firewall of China”. Deng Jiewei, 26, from Guangdong province, sold VPN software via his website two years ago, and was arrested in October last year.

China has been cracking down on access to the web and social media platforms, driving many to circumvent the restrictions by using VPNs. Beijing’s crackdown was stepped up in January, forcing vendors to stop selling VPN software and leading Apple to remove VPNs from its Chinese app store.

Deng was sentenced back in March, but it was only over the weekend that news of his jailing was picked up over social media, reported the South China Morning Post.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nnuMpXK961c/

Malicious code can be push into servers running Apache Struts 2 apps, allowing scumbags to run malware within corporate networks.

The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. Apache Struts is a popular open-source framework for developing applications in Java.

All versions of Struts since 2008 are affected and all web applications using the framework’s popular ​REST plugin are​ ​vulnerable – exposing organizations and projects to hacker hijackings. Developers are advised to patch Apache Struts to version 2.5.13, which was released today.

Left unpatched, the flaw allows miscreants to inject malicious code into any server running a Struts application that uses the popular REST communication method, and execute it.

Exploiting the hole is as simple as sending a specially crafted web request to the application. The flaw is a programming blunder in the way Struts processes data from an untrusted source. Specifically, it’s an unsafe deserialization in Java similar to a flaw in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence, back in 2015.

A Semmle team led by Man Yue Mo identified the remote code execution vulnerability (CVE-2017-9805) using static code analysis.

“We strongly advise users of Struts to upgrade to the latest version to mitigate this security risk,” said Mo.

“The vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/05/apache_struts_vuln/

Lenovo on Tuesday settled charges that it compromised the security of its computers to fling ads onto desktops from August 2014 through early 2015.

The settlement with America’s trade watchdog the FTC, plus 32 State Attorneys General, acknowledges no wrongdoing and imposes no financial penalty – other than a paltry $3.5m to those roughly three dozen states.

Instead, it forbids Lenovo from lying about the nature of software that injects ads or harvests data, if present on its computers, and obliges the company to get consent from customers before installing such software.

Furthermore, for the next 20 years, it requires the company to maintain a third-party audited risk assessment program for software on its computers.

“The FTC does not have the authority to obtain civil penalties for initial violations of the FTC Act,” an FTC spokesperson said in an email to The Register. “That said, Lenovo will spend money to hire outside auditors to monitor its security program. This relief will ensure that consumers are protected going forward. However, if Lenovo violates the terms of its settlement with the FTC, the company could face civil penalties.”

It’s not much of a punishment for what Cloudflare security researcher Marc Rogers characterized as “quite possibly the single worst thing I have seen a manufacturer do to its customer base.”

Three years ago, Lenovo began shipping laptops quietly bundled with software called VisualDiscovery, a version of Superfish’s ad-injector WindowShopper, customized for Lenovo. When Lenovo customers browsed the web and hovered over an image, the software would inject a popup ad for a similar product sold by one of Superfish’s retail partners.

The customization incorporated the Komodia SSL interjection module, in order to allow VisualDiscovery to inject ads into https and http browsing sessions by replacing websites’ digital certificates with a self-signed root certificate.

“This allowed VisualDiscovery to act as a man-in-the-middle, causing both the browser and the website to believe that they had established a direct, encrypted connection, when in fact, the VisualDiscovery software was decrypting and re-encrypting all encrypted communications passing between them without the consumer’s or the website’s knowledge,” the FTC complaint says.

Basically, the software hijacked an estimated 750,000 computers of Lenovo customers.

The FTC complaint charges Lenovo with:

• Deceptively failing to disclose VisualDiscovery’s man-in-the-middle capabilities and its transmission of browsing data to Superfish.
• Unfair practices, for installing the software without adequate notice or consent and for failing to take reasonable steps to deal with the security risks created by their software.

Disagrees

In a statement email to The Register, Lenovo said while it disagrees with the allegations, it is pleased to bring the matter to a close.

“After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs,” a company spokesperson said in an email. “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications.”

Lenovo said that a policy implemented after the uproar over its software that limited the amount of pre-installed software on its PCs and introduced a security and privacy review process is consistent with the terms it agreed to as part of the settlement.

Lenovo may not be aware of any actual instances of exploitation, but it’s not clear how hard the company has looked. In early 2015, security researcher Robert Graham published a proof-of-concept exploit.

In a statement, FTC Commissioner Terrell McSweeny said she was troubled that the agency had failed to challenge Lenovo’s deceptive conduct.

“In this case, Lenovo deceptively omitted that VisualDiscovery would alter the very internet experience for which most consumers buy a computer,” she said. “I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive.”

In her own statement, FTC Acting Chairman Maureen K Ohlhausen dismissed McSweeney’s concerns, noting that while Lenovo failed to disclose that VisualDiscovery would intercept web traffic, it did disclose that the software would inject ads and that consumers expect ad software to affect their browsing and be intrusive.

“In short, although VisualDiscovery’s ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use,” she said. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/05/lenovo_gets_wristslap_from_ftc_for_superfish_adware_debacle/

Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.

“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”

The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.

A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup, and is notifying the customers who were exposed.

“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”

BroadSoft did not return a request for comment.

This wouldn’t be the first time errant settings on an AWS S3 instance have left records out in the open. Other poorly configured databases were blamed for leaking data on Chicago voters, Verizon subscribers, and even researchers with the Republican National Committee. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/05/twc_loses_4m_customer_records/

By now, the advice to the billions of people whose personal and financial information has been compromised by unending data breaches has become pretty standard: change your passwords. Use different ones for every site. Make them strong – long and complicated. Don’t use an easy-to-guess security question. Use two-factor authentication. Monitor your credit cards.

But to those who are among the victims of multiple Yahoo breaches since 2013 – well in excess of 1bn accounts, according to court filings – there’s something new to add to the list: join a class-action lawsuit. You have, as they say in legal proceedings, “standing”.

That is thanks to US District Court Judge Lucy Koh, of the Northern District of California, who last week rejected a motion by Yahoo to throw out a consolidated class-action lawsuit seeking compensation for damages from those breaches, which compromised its customers’ personally identifiable information (PII) and put them at risk of identity theft and other harm.

The 93-page decision is a very big, possibly precedent-setting, deal. As Rebecca Hughes Parker, global editor-in-chief of The Cybersecurity Law Report, put it:

It has been a hurdle for plaintiffs in the past who have tried to argue that risk of future identity theft was sufficient to give them standing under the constitutional requirements of Article III. Even the plaintiffs who did not allege harm from the actual misuse of their information met the standing requirement.

And according to Koh, it is because the risks to the plaintiffs are real, not just theoretical. Among the examples she cited:

• A couple whose credit card information was stolen and used to make $900 in fraudulent purchases.
• A man who was unable to file his tax return because a return had already been filed under his Social Security number, which led to numerous fraudulent charges on his credit cards plus $9,000 in college expenses for his daughters who were unable to apply for financial aid on time.
• A woman who said her compromised email account led to the theft of her Social Security benefits.

Yahoo, in its motion to dismiss, contended that the 2014 breach, in which 500m accounts were compromised, was not due to carelessness or poor security, but because of the sophistication of the attackers.

The motion described it as “one of the most organized, sophisticated and relentless criminal attacks in cybercrime history, sponsored by the Russian Federal Security Service. This was no ordinary security breach, but a full-fledged, state-sponsored cyber assault …”

The source of the attack was confirmed by the US Department of Justice, which announced this past March the indictment of two members of the Russian intelligence agency FSB’s (successor to the KGB) Center for Information Security.

The company also made the standard case against “standing” for the plaintiffs, arguing among other things that they couldn’t prove their damages were “fairly traceable” to the breaches.

It said that while the compromised information included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, it didn’t include credit card data or bank account information, which it said it doesn’t store in its system.

But Judge Koh did not find any of those arguments “persuasive”. She noted that what the plaintiffs argued – that their compromised email accounts provided credit and bank information:

… users used their Yahoo for a variety of personal and financial transactions, and thus that Yahoo email accounts contained, ‘records involving credit cards, retail accounts, banking, account passwords, IRS documents and social security numbers from transactions conducted by email, in addition to other confidential and sensitive information …’

So Yahoo’s customers are not the only ones now at risk. Koh’s ruling puts Verizon, Yahoo’s corporate parent, at significant risk as well. Verizon’s $4.8bn acquisition of Yahoo came at a “discount” of about $350m, due to possible liabilities from the breaches.

But the liabilities could vastly exceed that discount. Verizon’s attorneys don’t even need a calculator to know that if they get hit with damages worth only $10 for each compromised account, that would total more than twice what they paid to acquire Yahoo.

Which is probably why it is widely reported that Koh’s decision puts the suit “on a likely course for settlement”. Naked Security readers may recall that a couple of months ago Anthem, the largest health insurer in the US, agreed to a “record” settlement of $115m over a breach of about 80m patient records. Which is big bucks on one hand. But it would average out to the grand sum of only $1.46 per victim.

Indeed, Verizon is unlikely to want another judge or jury to hear the long recitation of Yahoo security failures cited by Koh, which include waiting years to announce the breaches – it took three years, until September 2016, to acknowledge the first major breach, of 1bn accounts, in 2013. It could put it on the hook for vastly more than $10 per account.

Not to mention that as of this past March, Yahoo was facing 40 class-action lawsuits in connection with the breaches, which means it probably does not want to set a negative precedent with this one.

Other breached companies are surely watching as well. As a post on ISMG put it, “the case will be closely watched for the long-term legal and financial implications of breaches.”

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0jxHR532JW0/

We all know that the dark web has marketplaces that sell malware to potential cyberattackers who would rather pay Bitcoin than spend time developing their own malware. So if you have Tor configured for access to the dark web and some money in a Bitcoin wallet, conducting malware attacks is easier than ever before. Why should an attacker bother learning how to code in the first place?

Well, sometimes convenience comes at a price – one that cannot be converted to any fiat currency or cryptocurrency.

The Trojan smells like a RAT. Zscaler ThreatLabZ, who discovered it, has named it Cobian. It’s based on njRAT, which originally surfaced around 2013. It has the features that people who buy malware on the dark web want; a keylogger, webcam control, remote code execution, and screen capturing.

But there’s more: unbeknown to customers, it also contains an encrypted library which has code that grants master control to Cobian’s developer. So while Cobian buyers get excited about acquiring their own botnet, Cobian’s author gets ultimate control of all of those botnets: it’s botnet acquisition as a sleazy pyramid marketing scheme. The researcher who discovered it said:

Cobian RAT appears to be yet another RAT that is spawned from the leaked njRAT code. It is ironic to see that the second-level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author.

Cobian’s executable payload disguises itself as a Microsoft Excel file. Cobian’s secondary payload then checks to see if the second-level operator is online. If so, then the code that enables the author to acquire master control operates to evade detection. If the second-level operator is offline, the secondary payload acquires the address of the author’s command and control servers from Pastebin. The researchers say:

During our analysis, we observed that when the machine name and username of the systems running the Cobian RAT payload and the control server are the same, the backdoor module will not be activated and no communication will be sent to the backdoor command and control server.

The original author of the RAT builder is assuming that there will be some testing performed by the second-level operators and that they will mostly likely use the same system for both bot client and server applications. To hide the presence of the backdoor module, there will be no traffic generated from the bot client to the backdoor command and control server in this case.

People who buy Cobian might think they’re clever, but the joke’s on them.  And this isn’t the first time we’ve reported on RAT authors exploiting the people who buy their malware – and all we’ll say is: caveat emptor; buyer beware.

Follow @NakedSecurity
Follow @kim_crawley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rsKFJ8WAGkM/