STE WILLIAMS

Target on Friday announced that an ongoing digital forensic investigation into its recent data breach has found that personal information relating to 70 million customers was stolen.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” Target said in a statement, continuing the company’s marketing-spin habit of labeling customers as “guests.”

“At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals,” said Target. “This theft is not a new breach, but was uncovered as part of the ongoing investigation.”

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/target-breach-widens-70-million-warned/240165335

A guide to transactional email

Samsung and Google have taken an unusual step, jointly posting an advisory that a security problem revealed last month is not Samsung-specific, but is in fact an Android vulnerability.

Late in December, a researcher from Ben Gurion University of the Negev in Israel said there was a gap in the Knox security implementation in Samsung’s Galaxy S4 devices. Based on TrustZone technology, the Knox environment provides a virtualised secure container that’s meant to protect sensitive data from attack, even if the non-secure part of a phone is compromised.

The researcher, PhD student Mordechai Guri, found that an app could be installed in the insecure part of the phone that would be able to capture and expose communications that were meant to be secured.

At the time, Samsung disputed the university’s characterisation of the security vulnerability as a “category one” problem (that is, high severity), claiming that because the tests were conducted on store-bought phones, the target devices lacked the full enterprise suite of security features.

However, in an announcement published on Thursday, January 9, Samsung says: “Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.

“This research did not identify a flaw or bug in Samsung KNOX or Android; it demonstrated a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data,” the statement continues.

In that statement, Samsung claims that it collaborated with Google to confirm that the issue is an Android vulnerability. The company says enterprise users should guard against the issue using mobile device management, per-application VPNs, and the Knox FIPS 140-2 capabilities.

A Google spokesperson confirmed the company’s involvement in confirming Samsung’s belief that the problem is in Android, in an e-mail to The Register. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/knox_vuln_is_android_not_us_says_samsung/

A guide to transactional email

Security researchers IO Active are warning that many smartphone banking apps are leaky and need to be fixed.

Testing 40 iOS-based banking apps from 60 banks around the world, the research summary is pretty nerve-wracking:

• 40 per cent are vulnerable to man-in-the-middle attacks, because they don’t validate the authenticity of SSL certificates presented by the server;
• 20 per cent lacked “Position Independent Executable (PIE) and Stack Smashing Protection enabled”, which IO Active says is used to help mitigate memory corruption attacks;
• Half the apps are vulnerable to cross-site-scripting (XSS) attacks;
• Over 40 per cent leave sensitive information in the system log; and
• Over 30 per cent use hard-coded credentials of some kind.

Most worrying, however, are a couple of 90 per cent statistics: the number of apps that included non-SSL links, and the number that lack jailbreak detection. Even those with detection could still be installed: “All of the applications could be installed on a jailbroken iOS device. This helped speed up the static and black box analysis”, writes IO Active’s Ariel Sanchez.

By including non-SSL links in the apps, Sanchez says, an attacker could “intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

“Moreover, it was found that 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device,” he continues.

This UIWebView implementation allows a false HTML form to be injected. Source: IO Active

The IO Active post also details a number of other information leaks, including unencrypted data stored in sqlite databases, and information like IP addresses and application paths that could let a determined and skilled attacker draw inferences about the server-side infrastructure the app is talking to.

The research only looked at the client side, Sanchez states, and where possible, IO Active notified banks of the vulnerabilities he identified. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/banking_apps_insecure_and_badly_written_say_researchers/

A guide to transactional email

Microsoft had two Twitter accounts and an official blog compromised over the weekend in another embarrassing security incident for the Redmond giant.

Attackers claiming to belong to pro-Assad group the Syrian Electronic Army (SEA) managed to crack the @MSFTnews and @XboxSupport accounts on Saturday and post various messages hash-tagged “SEA”, according to Mashable.

One read: “Don’t use Microsoft emails (Hotmail, outlook), They are monitoring your accounts and selling the data to the governments.”

The messages are no longer live and a Microsoft spokesperson sent the following statement to The Reg.

Microsoft is aware of targeted cyberattacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised.

The attackers were also apparently able to take control of The Official Microsoft Blog at blogs.technet.com and either force a redirect to their own site or display a homepage defaced with SEA slogans.

That blog is now back to normal and there was no Microsoft statement on the incident.

The group also tweeted screen grabs purportedly showing internal Microsoft emails related to the attacks, although as yet there has been no confirmation from Redmond on whether they are legit.

The embarrassing compromises come little more than a week after SEA attackers hit the official Skype Twitter account and blog to post more anti-Microsoft messages.

These also related to allegations from Edward Snowden that Redmond is being rather too compliant with NSA access requests.

Perhaps more damaging from a Microsoft perspective, however, is that such incidents lead credence to the notion its internal security processes still aren’t up to scratch. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/microsoft_twitter_blog_sea_compromised/

The master list of email delivery terminology

Poll The internet is full of daft things. Animated cat GIFs, stupid headlines, NSA spies, etc.

But the online world isn’t just fields of mindless dreck. For instance, you could always take a crack at the web’s toughest crypto-puzzle: the ever-baffling Cicada 3301.

Appearing each year since 2012, these strange series of challenges have stumped clever netizens the world over. By solving the riddles, it appears you eventually get in touch with the quizmasters, who are no doubt interested in people with your skills.

Now 2014’s puzzle is underway after this image was linked to by this Twitter feed, which has been spewing raw data in tweets for the past few days. The picture shows this text: “Hello. Epiphany is upon you. Your pilgrimage has begun. Enlightenment awaits. Good luck. 3301.”

If you fiddle with the image to enhance the shadows, it reveals a winged cicada insect that featured in last year’s contest. But that’s just a distraction. If you run the original JPEG through steganography analysis tool OutGuess, you get a quote from the essay Self-Reliance by Ralph Waldo Emerson – plus a sequence of numbers separated by colons and a cryptographic signature generated by the PGP key used in the past by the Cicada 3301 team.

Each line of those numbers hidden in the JPEG file refers to a paragraph, sentence, word and letter in that Emerson text, which is used to gradually build up a URL. So, for instance, 1:2:3:1 means take paragraph 1, sentence 2, word 3, letter 1, which is an ‘a’.

The whole sequence constructs the URL auqgnxjtvdbll3pv.onion which refers to a web server running within the Tor network. That hands out another graphic that again uses steganography to hide a “good luck” message, RSA encrypted data and cipher variables that are needed to crack the encryption key to move on to the next part.

Crouching cipher, hidden lesson … the cicada insect revealed in the original image

If you want to see how far down the rabbit hole this goes, a bunch of code-crackers are documenting their ongoing progress here. In fact, last year’s puzzle is just as fascinating, involving finding bootable Linux CD images hidden online and locating and decoding posters on lamp posts dotted around the world.

It’s not entirely clear if anyone successfully passed the 2013 test, but how it was unravelled reads like a plot from an extremely nerdy novel. An IT security expert called Joel Eriksson managed to defeat the 2012 challenge, but arrived at the final server too late – the Cicada 3301 team had already found their winners. It’s believed those who arrive first are asked for their contact details, possibly revealing the whole thing is a job interview from hell.

You’ll notice that knowledge of cryptography, steganography, programming, computer networks, obscure literature and runes, and mathematics is essential in order to get anywhere at all.

No one knows who is behind the spooky tests, or if they do, they’re not telling. Apparently, it first surfaced on a grim 4chan.org discussion board about the paranormal, with the message: “We are looking for highly intelligent individuals.”

Perhaps, then, it’s just a 4chan prank, but Kenny Paterson, a crypto-professor at Royal Holloway, University of London, believes it’s too well organised to be a practical joke.

“There’s been several such competitions in the past. Google used to post puzzles on billboards beside the highways in Silicon Valley to attract people to come and work for them. A few years ago, our own GCHQ had a set of puzzles for people to solve as a way to recruit people with bright minds,” he told BBC Radio 4.

“It’s unlikely to be a spoof due to the lengths [Cicada 3301] have gone to. They are really sophisticated; they have all kinds of amazing, esoteric references in there to the work of [occultist] Aleister Crowley, for example, paintings by William Blake, and Maya numerals. It takes a long, long time to set up puzzles like this. It’s not something you can do in your spare time.”

So, what better way to decide what on Earth this thing is, than to put it to our Reg readers. Vote away in the poll below or pop a comment in the forums with other bright ideas, if you so wish. Or better yet, solve the mystery and tell us (PGP) what you found. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/11/cicada_3301_2014/

US megaretailer Target is having a tough time of it.

Having said that, so are its customers – and even, as it now turns out, many of its non-customers, too.

Late in 2013, pretty much half way between Black Friday and Christmas, Target realised it has been, well, the target of an enormous data theft.

As far as Target could tell, its breach wasn’t quite in the very top league, such as those of Adobe and Sony, both of whom had been plundered in the past to the tune of more than 100,000,000 records.

But the breach at Target was epic by any standards, with 40,000,000 payment card records sucked up by cybercriminals.

→ Early reports suggested that printed CVVs (the three digit codes that only ever appear in printed form on the back of your card) had been stolen along with card numbers, expiry dates and so forth. We were sceptical, as we explained in Episode 127 of the Chet Chat podcast, because the stolen records appeared to relate to in-store purchases, also known as card present transactions, where the CVV is not used. Target subsequently confirmed that these printed security codes were not stolen. That reduces the risk of fraudulent on-line purchases, because card not present transactions usually require the CVV.

Sadly, Target just got promoted to the top league.

The company has now joined the “hundred million plus” data breach club, following its discovery that a further 70,000,000 records were plundered in the raid:

As part of Target’s ongoing forensic investigation, it has been determined that certain guest information – separate from the payment card data previously disclosed – was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

From this, it seems reasonable to infer that the crooks who got into Target’s network enjoyed much wider rein than was obvious at first, penetrating more than one business system.

Presumably, from Target’s use of the words “guest information,” this additional data wasn’t related only to customers who actually purchased something from one of the company’s stores during the November-December 2013 timeframe, but also potentially to anyone who has ever interacted with Target in any way.

In other words, you may be at risk from this exposure even if you’ve never bought anything from Target.

In some ways, this second part of the breach is worse than the first, because it involves truly personal PII (personally identifiable information).

That’s because, for most people, getting a new credit card is actually much less disruptive, and considerably easier, than getting a new phone number or a new address.

And in case anyone was in any doubt whether a breach is bad for the company that gets breached, Target has the answer.

As well as presenting bad news to its customers and so-called “guests,” the company has had to publish an update to its fourth-quarter financial predictions.

Target is warning shareholders that EPS (earnings per share) will most likely end up at $1.20-$1.30, down from earlier predictions of $1.50-$1.60.

It is also warning of poorer-than-expected sales, despite upbeat performance until the original breach announcment:

This outlook anticipates a fourth quarter 2013 comparable sales decline of approximately (2.5)%, compared with prior guidance of approximately flat comparable sales. The updated sales expectation reflects:

* Stronger-than-expected fourth quarter sales prior to the Company’s December 19, 2013, announcement of a payment card data breach;

* Meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days, and;

* A comparable sales decline of (2)% to (6)% for the remainder of the quarter.

Target isn’t mincing its words: the breach has hit the company where it hurts.

Let’s hope that there aren’t any more databases that the crooks got into while they were targeting Target.

Follow @duckblog

Imagery of bullet hole courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xOJ-pIChF3M/

Tags: #sophoscrossword, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Apple, competition, data breach, https, mavericks, OS X, Snapchat, t-shirt, upgrade, webmail, winners, yahoo

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ddTfp80tzhY/

5 DNS security risks that keep you up at night

Poll The internet is full of daft things. Animated cat GIFs, stupid headlines, NSA spies, etc.

But the online world isn’t just fields of mindless dreck. For instance, you could always take a crack at the web’s toughest crypto-puzzle: the ever-baffling Cicada 3301.

Appearing each year since 2012, these strange series of challenges have stumped clever netizens the world over. By solving the riddles, it appears you eventually get in touch with the quizmasters, who are no doubt interested in people with your skills.

Now 2014’s puzzle is underway after this image was linked to by this Twitter feed, which has been spewing raw data in tweets for the past few days. The picture shows this text: “Hello. Epiphany is upon you. Your pilgrimage has begun. Enlightenment awaits. Good luck. 3301.”

If you fiddle with the image to enhance the shadows, it reveals a winged cicada insect that featured in last year’s contest. But that’s just a distraction. If you run the original JPEG through steganography analysis tool OutGuess, you get a quote from the essay Self-Reliance by Ralph Waldo Emerson – plus a sequence of numbers separated by colons and a cryptographic signature generated by the PGP key used in the past by the Cicada 3301 team.

Each line of those numbers hidden in the JPEG file refers to a paragraph, sentence, word and letter in that Emerson text, which is used to gradually build up a URL. So, for instance, 1:2:3:1 means take paragraph 1, sentence 2, word 3, letter 1, which is an ‘a’.

The whole sequence constructs the URL auqgnxjtvdbll3pv.onion which refers to a web server running within the Tor network. That hands out another graphic that again uses steganography to hide a “good luck” message, RSA encrypted data and cipher variables that are needed to crack the encryption key to move onto the next part.

Crouching cipher, hidden lesson … the cicada insect revealed in the original image

If you want to see how far down the rabbit hole this goes, a bunch of code-crackers are documenting their ongoing progress here. In fact, last year’s puzzle is just as fascinating, involving finding bootable Linux CD images hidden online and locating and decoding posters on lamp posts dotted around the world.

It’s not entirely clear if anyone successfully passed the 2013 test, but how it was unravelled reads like a plot from an extremely nerdy novel. An IT security expert called Joel Eriksson managed to defeat the 2012 challenge, but arrived at the final server too late – the Cicada 3301 team had already found their winners. It’s believed those who arrive first are asked for their contact details, possibly revealing the whole thing is a job interview from hell.

You’ll notice that knowledge of cryptography, steganography, programming, computer networks, obscure literature and runes, and mathematics is essential in order to get anywhere at all.

No one knows who is behind the spooky tests, or if they do, they’re not telling. Apparently, it first surfaced on a grim 4chan.org discussion board about the paranormal, with the message: “We are looking for highly intelligent individuals.”

Perhaps, then, it’s just a 4chan prank, but Kenny Paterson, a crypto-professor at Royal Holloway, University of London, believes it’s too well organised to be a practical joke:

So, what better way to decide what on Earth this thing is, than to put it to Reg readers. Vote away in the poll below and pop a comment in the forums, if you so wish. Or better yet, crack it and tell us (PGP) what you found. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/11/cicada_3301_2014/

5 DNS security risks that keep you up at night

Hackers swiped the names, home and email addresses, phone numbers and other personal information of up to 70 million Target shoppers, the superstore giant admitted today.

Evidence of the customer database raid was discovered during an investigation into the attack on Target’s payment systems that leaked 40 million credit and debit cards to cyber-crooks. That sensitive banking data, as well as the personal records, were siphoned unencrypted from Target’s computers between November 27 and December 15 last year.

In an advisory, the company said:

As part of Target’s ongoing forensic investigation, it has been determined that certain guest [customer] information – separate from the payment card data previously disclosed – was taken during the data breach.

This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

Staff at the US chain will now call and email customers whose contact information was illegally harvested to alert them that they are now at risk of identity theft and fraud. The company said it will only warn people of the blunder: anyone claiming to be from Target and asking for more details, whether by email or phone, will be a phishing crook.

“I know that it is frustrating for our guests [customers] to learn that this information was taken and we are sorry they are having to endure this,” Target chairman, president and CEO Gregg Steinhafel said.

“Our guests expect more from us and deserve better. And I want them to know that understanding and sharing the facts is important to me and the entire Target team.”

Customers’ bank card PIN numbers, stolen during the hackers’ holiday season ransacking, were encrypted using 3DES, although lifted card numbers – which can be used to clone a victim’s card – have been spotted for sale on underground marketplaces.

Target said people affected by the security breach will be offered one year of free identify-theft protection and credit-monitoring services. The biz also warned investors that the cock-up will hit the chain’s financial figures.

Anxious shoppers can find more details on Target’s corporate site. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/10/target_personal_information_breach_70_million/

Are you responsible for IT security in your company? Do you know how safe your network really is?

Threats lurk everywhere, and it’s difficult for you to be in all those places at once.

So Sophos has developed a quick test to help you assess your security risk.

You have to answer 10 questions, and then you’ll get a scorecard rating at the end, including recommendations on how you can improve your security.

The test is free and you don’t have to part with any information in order to access it. We’d love to hear your feedback too, so please let us know what you think in the comments below.

Assess your network security risk

Follow @NakedSecurity

Image of meter courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H7ANHP7zhnU/