hacking – Page 3020 – STE WILLIAMS

Tech Insight: ‘Tis The Season To Be Hacked

library
crime | hacking | security

It’s that time of year again. Friends and family searching for the perfect gift for their loved ones. Maybe even your awesome boss buying you multitool collar stays or a USB-controlled missile launcher. The problem is that as many of us rush out to make purchases online or at a local retailer, (or cybercriminals, if you prefer) are prepared to take advantage of the increase in business and decrease is eyes keeping watch.

The Dec. 19 press release from retail giant Target is a perfect example. According to the press release, a breach of payment card information occurred between Nov. 27 and Dec. 15, just in time for a sharp peak in sales. Target’s statement says that the breach has affected approximately 40 million credit and debit card accounts — not the kind of stocking stuffer you want to receive around Christmas.

The Target breach highlights several problems that organizations face during particularly busy seasons and holidays. The first is that employees are more likely to circumvent security controls when they are extremely busy and feeling rushed. We’ve all seen this in retail stores, and it happened to me last weekend buying Christmas tree stands.

The scenario plays out like this: An item you’re purchasing does not ring up with the discount as marked on the product display. The clerk calls a manager to get a price override, but the manager is too busy to come to the register and punch in his password. The manager gives his password to the clerk, and you get to continue on your merry way. More than likely, there is a policy about the manager giving out his password, but it is overlooked because everyone is busy. The clerk doesn’t mind because he doesn’t have angry customers waiting in line, and if he’s dishonest, the password may be handy for giving himself or friends extra discounts.

Similar circumstances happen all the time with managers and their subordinatesm no matter what business they’re in. If it’s a busy season, such as holiday sales, tax season, or opening weekend ticket sales, employees will quickly circumvent security controls (if they can) in order to forgo the inconvenience and get on with their work.

Another problem that occurs around busy seasons is a huge uptick in purchases that result in a corresponding increase in logs and network traffic. Defenders tasked with monitoring and responding to incidents can be overwhelmed by the increase because now there are likely more logs — magnitudes more — they have to review. If the team responsible for this is understaffed as are many security teams, then there are going to be incidents that get overlooked.

The fact that issues are overlooked is not necessarily the analyst’s fault. He may simply be overwhelmed because there is a twentyfold increase in events to review, so he misses something because he’s not trained or experienced to handle the situation. Or there may be technical issues that present themselves during the excessive load on network monitoring sensors, centralized logging system, and the SIEM responsible for correlating all the events. If not sized properly, any of those systems could fail to identify and alert the analysts of an event that needs further investigation.

A similar issue arises from not having enough eyes watching the logs because of holiday breaks. This is particularly relevant as we enter the Christmas season, but true for many different cultures that may take up to an entire month off a religious holiday or cultural celebration. Just as we see employees more likely to circumvent security controls, there are also plenty of cases where the defenders are less diligent due to time off or office celebrations.

For example, I’ve consulted with several groups that do not staff their offices during Christmas, but have their security team take turns reviewing logs during the holiday break. There is little chance that the analysis taking place is as focused as if the team member were sitting in their office during the middle of June.

Many of the issues above are problems centering around proper staffing, while some can be attributed to technical issues and human nature. It’s critical that management and security teams know when these busy times are going to occur and plan accordingly with both technological and staff capacity. Attackers are more likely to focus on a business like Target when they know there’s an higher likelihood of the attack going unnoticed while there’s also an increase in information, such as credit card numbers, they can steal. As such, please plan accordingly … and have a Merry Christmas.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Video

–>

<!–

–>

Dark Reading Discussions

Start the Discussion

InformationWeek encourages readers to engage in spirited, healthy debate,
including taking us to task. However, InformationWeek moderates all comments posted to our site,
and reserves the right to modify or remove any content that it determines to be derogatory, offensive,
inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM.
InformationWeek further reserves the right to disable the profile of any commenter participating in
said activities.

To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.

Article source: http://www.darkreading.com/attacks-breaches/tech-insight-tis-the-season-to-be-hacked/240164934

Update Now! A Holiday Carol

library
crime | hacking | security

Update Now!
To the tune of “Jingle Bells”

Browsing through the Web
On a Win XP PC
Clicking random links
To see what I could see

Nothing looked amiss
No warnings to be seen
But there I was on Christmas Eve
With malware on my screen

Chorus:

Update now, update now
Update all the way!
Oh, what fun you will not have
With malware in your day.

A day or two ago
A pop-up did appear
“Update now,” it said
I canceled with no fear.

My antivirus, too
Expired late last year
I thought I’d save a buck or two
But now I’m paying dear.

(chorus)

Can’t get enough holiday infosec songs/poems? Here are a couple more: “A Nightmare Before Christmas” and “Grandma Got Infected by a Trojan.”

Article source: http://www.darkreading.com/sophoslabs-insights/update-now-a-holiday-carol/240164935

Use of Tor pointed FBI to Harvard University bomb hoax suspect

library
crime | hacking | security

A 20-year-old US man and Harvard University student was arrested on Tuesday and charged with allegedly sending bomb threats to get out of a final exam.

An affidavit filed by the FBI on Tuesday alleges that Eldo Kim, of Cambridge, Massachusetts, on Monday morning emailed multiple bomb threats to Harvard University offices, including to the university’s police department, two Harvard officials, and the office of the president of the Harvard Crimson, which is Harvard’s daily student newspaper.

The subject line of the identical messages read “bombs placed around campus.”

The body of the email message:

shrapnel bombs placed in:

science center
sever hall
emerson hall

2/4. Guess correctly.

be quick for they will go off soon

The buildings referenced in the email are on the university’s main campus in Cambridge, Massachusetts.

Harvard police called in the FBI, and the four buildings were immediately evacuated.

Bomb technicians and hazmat officers combed through the buildings for several hours but concluded that the threats must have been a hoax.

When it investigated the email messages, the FBI found that they’d come from Guerrilla Mail: a free email service that creates temporary, anonymous email addresses.

They also discovered that whoever had sent the emails had accessed Guerrilla Mail through the Tor anonymizing service, the affidavit says.

Tor is an anonymizing service that directs traffic through a worldwide, volunteer network that makes it difficult for law enforcement to trace a user.

Tor has, at least in the past, thrown up road blocks to law enforcement, as was made clear with the “Tor stinks” presentation from the National Security Agency (NSA) that The Guardian published in October.

Law enforcement leapt over the road block pretty easily in this case, however: investigators figured out that in the several hours leading up to the receipt of the email, Eldo Kim had allegedly accessed Tor using the university’s wireless network.

As security analyst Bruce Schneier pointed out in a blog post on Wednesday, this case underscores how using Tor can raise a red flag when somebody’s actually trying to pass undetected:

This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn’t have to break Tor; they just used conventional police mechanisms to get Kim to confess.

The affidavit says that Kim told investigators that he had picked the email recipients at random from a university web page and did it to get out of an exam scheduled for Monday morning.

The FBI also says that Kim stated that he had chosen the word “shrapnel” because “it sounded more dangerous.” He also told investigators that he wrote “2/4. guess correctly” so it would take more time for police to clear the area.

Kim was in Emerson Hall, where his exam was scheduled to take place, at 9 a.m. on Monday.

The affidavit says that when Kim heard an alarm go off, “he knew that his plan had worked.”

He could face a maximum five years in prison, three years of supervised release, and a $250,000 fine if charged under the bomb hoax statute, according to a press release from the Boston US District Attorney’s office.

Follow @LisaVaas

Follow @NakedSecurity

Image of stock exchange courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/42r93zuwFek/

California looks to implement ‘kill switch’ as smartphone theft deterrent

library
crime | hacking | security

A California senator plans to introduce new legislation in order to combat the rise in smartphone thefts across cities within the state.

Senator Mark Leno and San Francisco District Attorney George Gascón hope to make California the first US state to require smartphone manufacturers to incorporate a ‘kill switch‘, a remote-controlled security feature, which would make lost or stolen devices inoperable.

Senator Leno announced the proposed new bill on Thursday, saying that:

One of the top catalysts for street crime in many California cities is smartphone theft, and these crimes are becoming increasingly violent. We cannot continue to ignore our ability to utilize existing technology to stop cell phone thieves in their tracks. It is time to act on this serious public safety threat to our communities.

The Federal Communications Commission reports that mobile phone theft constitutes 30-40% of all robberies across the United States, a crime that cost US citizens $30 billion in 2012.

In the Senator’s own state of California such thefts are even more prevalent, accounting for over 50% of street robberies, Los Angeles alone has seen a 12% increase in smartphone thefts over the last year.

If the kill switch legislation is passed, carriers will be able to remotely send a message to any device that has been reported as either lost or stolen. That message would trigger the device to ‘brick’ itself, effectively making it useless, and a far less appealing option for would-be thieves.

With a few exceptions, most phones do not offer any form of remote deactivation at this time which makes them especially appealing to thieves who can snatch and sell them on in a very short period of time.

One manufacturer that does offer deactivation is Apple, though Gascón would like to see such a feature become the default rather than an option:

Apple should be commended for leading the way and making efforts to safeguard their customers, but it is still too early to tell how effective their solution will be. Until Activation Lock is fully opt-out, it appears many iPhone owners will not have the solution enabled. This leaves iPhone users at risk as thieves cannot distinguish between those devices that have the feature enabled and those that do not.

Gascón, along with New York Attorney General Eric Schneiderman, have asked mobile phone manufacturers to propose methods of curtailing the theft of smartphones. Having presented the tech companies with a June 2014 deadline, Gascón said:

I appreciate the efforts that many of the manufacturers are making, but the deadline we agreed upon is rapidly approaching and most do not have a technological solution in place. Californians continue to be victimized at an alarming rate, and this legislation will compel the industry to make the safety of their customers a priority.

The bill will be formally introduced in January 2014.

Naked Security readers who wish to protect their Android devices in case of loss or theft can install Sophos’s free Antivirus and Security app which includes the following features:

Supports remote commands for Wipe, Lock, Alarm, Locate, Reset passcode and Message to finder
Reporting of the device location before the battery runs out
Notification if the SIM card is replaced

Follow @Security_FAQs

Follow @NakedSecurity

Image of block of wood phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-NsbNo7pX9c/

MailOnline pulls recipe site after innocent young cookbook DEFILED

library
crime | hacking | security

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

The Mail Online has pulled its recipes website after it was vandalised by Libyan cyber-hijackers.

The UK mid-market tabloid’s content partner MyDish was defaced by “The Great Team” hacking crew on Monday in a hack recorded by defacement archive Zone-h here (warning: link auto plays mildly annoying music). The defacement is also recorded by the Wayback Machine at archive.org here.

The compromised site might easily have been used as a platform to serve up malicious code but it appears the hackers involved confined themselves to bragging about their conquest. The defacement message omits any political message and is characterised by a screen-cap of the benign Professor Dumbledore from the Harry Potter movies with the caption “I own this shit”. The Great Team are a prolific defacement crew who have claimed the scalps of more than 2,100 websites over the last two years.

The MailOnline responded by updating the DNS so that recipes.dailymail.co.uk pointed to its own server rather than that of MyDish, through use of a server that handles redirects. The papers also removed the link to the recipe subdomain from its Health news tab – it was there earlier in December, but has since vanished. The recipe site had been previously advertised as “powered by MyDish”.

El Reg was unable to find any evidence of the other subdomains being attacked. It appears that the compromise was restricted to recipes.dailymail.co.uk.

At the time of the hack, recipes.dailymail.co.uk resolved to the IP address 78.143.240.61, which is owned by web-hosting company Dark Group (dg.co.uk) and is also the same IP used to serve mydish.co.uk.

The site was run from IIS 6.0 web server software from servers running Windows 2003, according to Zone-h.

We invited both MyDish and the Daily Mail Group to comment on the security snafu on Friday morning but are yet to hear back from either party.

This isn’t the first time recipes.dailymail.co.uk has been hacked. Last year, when it appears to have been a MyDish site served from Dark Group, it was defaced by the notorious Team Poison crew with a more political message (recorded by Zone-h here) criticising the Mail’s stance on issues such as immigration.

Bootnote

Thanks to Reg reader Wyn for the tip.

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/20/daily_mail_recipe_site_defacement_fail/

7 Reasons Why Bitcoin Attacks Will Continue

library
crime | hacking | security

Bitcoins: Currency of the future, or perpetual plaything of Ponzi-schemers and money launderers?

Regardless of your views on the virtual currency or value system, just like dollars — physical or electronic — the cryptographic currency can be used for honest and dishonest dealings alike. But by using bitcoins, people expose themselves to additional information security risks. For starters, that’s because the skyrocketing value of a bitcoin has driven criminals to hunt for, and exploit, any and every related weakness they can find. Furthermore, when it comes to the infrastructure supporting bitcoins, weaknesses abound.

With that in mind, here are seven reasons why the increasing volume of bitcoin-targeting attacks won’t stop.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/7-reasons-why-bitcoin-attacks-will-conti/240164926

Target Confirms Massive Breach Affects 40 Million Customers

library
crime | hacking | security

Retail giant Target confirmed Thursday that some 40 million customer credit and debit accounts may have been compromised in a breach of its online customer data.

In a statement posted on its website, Target said unauthorized access to payment card data “may have impacted certain guests” who made credit and debit purchases at its U.S. stores.

“Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue,” the statement says.

The data theft took place from Nov. 27 to Dec. 15, according to Target, and “may have impacted” 40 million customers. The company has not officially said how the breach occurred, but many experts suspect a compromise of the point-of-sale systems data at brick-and-mortar stores, because Target said its online business “was not affected.”

From the courts to social media, Target customers have reacted badly to the news of the breach. A customer in California filed a class-action lawsuit against Target late on Thursday. Samantha Wredberg said in a court filing that she was a regular shopper at Target and made a purchase at a company store on Dec. 8. Wredberg is seeking damages and requested the court to certify the lawsuit as class action.

Wredberg also asked the court to determine whether “Target unreasonably delayed in notifying affected customers of the data breach.”

Target’s stock was down 2.2 percent at $62.15 on the New York Stock Exchange on Thursday. Many customers made negative posts on the Target Facebook page, some stating that they will no longer shop at the company’s stores.

The security industry reacted quickly with comments about the breach. Some speculated on the cause of the breach, many others drew lessons and conclusions from its occurrence.

“It appears that the majority of this information was taken from the point-of-sale (POS) machines themselves, which were infected by malware that intercepted the data itself during the magstripe swipe,” said Kevin O’Brien, director of product marketing at CloudLock, in an analysis of the breach.

“Target’s POS machines were most likely designed to be fast, convenient, and easy for store employees and customers to use and maintain,” O’Brien said. “However, they were responsible for moving and managing a tremendous amount of high-value information, and it is clear that the security and monitoring systems in place were inadequately designed and managed.”

“The most likely scenario is the attackers hacked their way to a central relay point [in Target’s POS network], where they could snag credit cards coming through for processing from multiple stores,” said Lucas Zaichkowsky, enterprise defense architect at security incident response firm AccessData. A second, less likely possibility is that the attackers identified a weakness replicated across multiple stores. They would then break into all affected locations the same way and set up their tools that sniff credit card data at the store level.”

“Recently, we have seen that attackers have been increasingly focused on small businesses and retail merchants,” said Bala Venkat, chief marketing officer at application security firm Cenzic. “When searching for vulnerable targets, attackers are discovering that many retail merchants and point of sale terminals haven’t implemented some of the basic security measures required by the PCI DSS (Payment Card Industry Data Security Standard).

“As a result, attackers increasingly are seeking to compromise the retail merchants environments through targeted, ‘production line’-type attacks,” Venkat said. “Unfortunately, these attacks go undetected for long periods of time due to a lack of monitoring by the retail merchants.”

Although some Target customers complained that the retail giant took too long to inform them about the breach, most security experts agreed that the company reacted relatively quickly, compared to other attacks on retail chains. Many experts compared the breach to the massive TJX compromise of 2007, which affected even more customers than the Target breach.

“What’s most surprising about the Target breach isn’t that it happened, but the speed with which Target was able to react – the window of time that the breach was in force was only a few weeks,” noted Mike Murray, managing partner of MAD Security, a firm which focuses on human vulnerabilities and solutions for enterprise security.

“This is a great deal more effective than we’ve seen in other breaches,” Murray said. “We need not to be punishing Target, but rewarding them for their vigilance – especially when the easiest behavior would have been to ignore their information security responsibilities or attempt to sweep the issue under the rug.”

Many experts pointed out that the data compromise indicates a possible breach of PCI DSS guidelines set by payment card providers, and that fines for negligence may follow. Attorneys General in New York and Massachusetts told the media that they have asked Target for more information about the breach and will evaluate whether the proper controls had been implemented.

“This raises the question, was Target PCI compliant?” asked W. Hord Tipton, managing director at security professionals’ association (ISC)2. “Most of the time in these investigations, companies hit like this aren’t really in compliance.”

Some retailers that have experienced major breaches were later found to be PCI compliant at the time of those breaches, which suggests that the guidelines may not be strong enough, Tipton stated.

“This breach puts PCI on the hot seat,” Tipton said. “Is this standard still the right one? Technology changes so quickly, and threat actors continue to advance their techniques. Do we need better standards that can keep up with the changing threat landscape? I’d say yes.”

While the industry struggles with the right standards, Target will have to take steps to keep its customers, said Conan Dooley, security analyst at Bishop Fox, a consultancy that helps enterprises evaluate their defenses and audit their compliance with security guidelines.

“How [the compromise] affects Target’s sales over the holidays is going to be largely determined by how they react to this breach,” Dooley said. “They could provide insight into the processes and resources being used to reassure customers that their data will be safe in the future. Or they could fail to handle the problem gracefully and erode the faith that consumers have in the brand.

“I think the best way for Target to regain trust would be to not only catch the individuals responsible, but also illustrate how they have secured their infrastructure against the threat of future attacks,” Dooley stated. “The worst reaction they could have would be to downplay or trivialize the seriousness of the breach, only to have their systems compromised again in the future.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/target-confirms-massive-breach-affects-4/240164927

Tech Insight: Tis the Season to be Hacked

library
crime | hacking | security

It’s that time of year, again. Friends and family searching for the perfect gift for their loved ones. And maybe even your awesome boss buying you multi-tool collar stays or a USB-controlled missile launcher. The problem is that just as many of us rush out to make purchases online or in a local retailer, there are criminals (or cybercriminals if you prefer) who are prepared to take advantage of the increase in business and decrease is eyes keeping watch.

The December 19 press release from retail giant Target is a perfect example. According to the press release, a breach of payment card information occurred between November 27 and December 15 just in time for a sharp peak in sales. Target’s statement says that the breach has affected approximately 40 million credit and debit card accounts — not the kind of stocking stuffer you want to receive around Christmas.

The Target breach highlights several problems that organizations face during particularly busy seasons and holidays. The first is that employees are more likely to circumvent security controls when they are extremely busy and feeling rushed. We’ve all seen this in retail stores and it happened to me last weekend buying Christmas tree stands.

The scenario plays out like this: an item you’re purchasing does not ring up with the discount as marked on the product display. The clerk calls a manager to get a priced override but the manager is too busy to come to the register and punch in their password. The manager gives their password to the clerk and you get to continue on your merry way. More than likely, there is a policy about the manager giving out their password but they overlook it because they’re busy. The clerk doesn’t mind because they don’t have angry customers waiting in line, and if they’re dishonest, the password may be handy for giving themselves or friends extra discounts.

Similar circumstances happen all the time with managers and their subordinates no matter what business they’re in. If it’s a busy season such as holiday sales, tax season, or opening weekend ticket sales, employees will quickly circumvent security controls (if they can) in order to forgo the inconvenience and get on with their work.

Another problem that occurs around busy seasons like we see with holiday sales such as Black Friday is a huge uptick in purchases that result in a corresponding increase in logs and network traffic. Defenders tasked with monitoring and responding to incidents can be overwhelmed by the increase because now there are likely magnitudes more logs they have to review. If the team responsible for this is understaffed like many security teams, there are going to be incidents that get overlooked.

The fact that issues are overlooked is not necessarily the analyst’s fault. They may simply be overwhelmed because there is a twentyfold increase in events to review and they miss something because they’re not trained or experienced to handle the situation. Or there may be technical issues that present themselves during the excessive load on network monitoring sensors, centralized logging system, and the SIEM responsible for correlating all the events. If not sized properly, any of those systems could fail to identify and alert the analysts of an event that needs further investigation.

A similar issue arises from not having enough eyes watching the logs because of holiday breaks. This is particularly relevant as we enter the Christmas season but true for many different cultures that may take up to an entire month off a religious holiday or cultural celebration. Just as we see employees more likely to circumvent security controls, there are also plenty of cases where the defenders are less diligent due to time off or office celebrations.

For example, I’ve consulted with several groups that do not staff their offices during Christmas but have their security team take turns reviewing logs during the holiday break. There is little chance that the analysis taking place is as focused as if the team member were sitting in their office during the middle of June.

Many of the issues above are problems centering around proper staffing while some can be attributed to technical issues and human nature. It’s critical that management and security teams know when these busy times are going to occur and plan accordingly with both technological and staff capacity. Attackers are more likely to focus on a business like Target when they know there’s an higher likelihood of the attack going unnoticed while there’s also an increase in information, such as credit card numbers, that they can steal. As such, please plan accordingly and have a Merry Christmas.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.