STE WILLIAMS

Updated Visa and MasterCard have been quietly informing banking partners that a third-party supplier has suffered a major breach of security that could let the attacker clone users’ cards.

According to Krebs on Security, the credit card companies are warning that between January 21 and February 25, a successful attack appears to have occured and that Track one and Track two data could have been stolen. Those terms refer to the data stored on the magnetic stripes on the backs of cards, and indicate that the attacker could clone legitimate cards at will.

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands,” the credit card company told El Reg in an email. “There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”

Speculation is flying at the number of card holders at risk, with some estimates putting the number in the millions, in line with the 2009 Heartland Payment Systems breach which compromised 130 million accounts. Some reports claim the third-party leak is from data handler Global Payments, based in Atlanta, Georgia, but neither it or MasterCard had any comment for El Reg at time of publication.

“I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently,” noted Gartner distinguished analyst Avivah Litan.

She said that the attackers appear to have got through the existing knowledge based authentication questions used as security. This could be achieved either by researching and guessing the answers, or by hiring (or coercing) someone within the company to provide them.

Not surprisingly, the IT security industry is lining up to sell some product offer helpful advice. Neil Roiter, research director at Corero Network Security blamed the breach on the reliance on the Payment Card Industry Data Security Standard (PCI DSS), which was developed by Visa, MasterCard, American Express, Discover, and JCB International Credit Card to ensure uniform security architecture and practices.

“While the scope and details of the attack are not yet known, it shows that three years after the Heartland Payment Systems breach of 130 million credit card numbers, credit card data is still vulnerable,” Roiter said. “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.” ®

Update

Global Payments has confirmed to El Reg that it was the target of an attack, and said that the fact that it was picked up was a tribute to its strong security.

“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said chairman and CEO Paul R. Garcia in an email.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/visa_mastercard_breach/

Visa and MasterCard have been quietly informing banking partners that a third-party supplier has suffered a major breach of security that could let the attacker clone users’ cards.

According to Krebs on Security, the credit card companies are warning that between January 21 and February 25, a successful attack appears to have occured and that Track one and Track two data could have been stolen. Those terms refer to the data stored on the magnetic stripes on the backs of cards, and indicate that the attacker could clone legitimate cards at will.

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands,” the credit card company told El Reg in an email. “There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”

Speculation is flying at the number of card holders at risk, with some estimates putting the number in the millions, in line with the 2009 Heartland Payment Systems breach which compromised 130 million accounts. Some reports claim the third-party leak is from data handler Global Payments, based in Atlanta, Georgia, but neither it or MasterCard had any comment for El Reg at time of publication.

“I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently,” noted Gartner distinguished analyst Avivah Litan.

She said that the attackers appear to have got through the existing knowledge based authentication questions used as security. This could be achieved either by researching and guessing the answers, or by hiring (or coercing) someone within the company to provide them.

Not surprisingly, the IT security industry is lining up to sell some product offer helpful advice. Neil Roiter, research director at Corero Network Security blamed the breach on the reliance on the Payment Card Industry Data Security Standard (PCI DSS), which was developed by Visa, MasterCard, American Express, Discover, and JCB International Credit Card to ensure uniform security architecture and practices.

“While the scope and details of the attack are not yet known, it shows that three years after the Heartland Payment Systems breach of 130 million credit card numbers, credit card data is still vulnerable,” Roiter said. “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/visa_mastercard_breach/

Yahoo! is to begin slotting in support for a Do Not Track header across its entire online estate just a few months after its erstwhile privacy wonk quit the firm in favour of a job at Google.

Anne Toth, who is now working on the Chocolate Factory’s Google+, had opposed DNT.

Yahoo! said the tool, which will also be implemented on its Right Media and Interclick properties, will allow users “to express their ad targeting preferences” to the Purple Palace.

But the company has been very slow to provide such support for DNT. When Toth was at the helm of Yahoo!’s privacy team she had this to say (courtesy of Time Techland) about the technology:

Right now, when a consumer puts Do Not Track in the header, we don’t know what they mean. Privacy is not a one size fits all thing. Is analytics included in that? Is first-party customisation included in that? I think it’s fair for Google to say it’s going to hang out until it figures out what it means first. If we all do privacy in radically different way, we’re going to confuse consumers.

Google is yet to implement DNT, despite many of its rivals having already adopted the tool. It’s recently made noises suggesting that some form of the tech will be built into its Chrome browser by the end of 2012.

It’s notable that Toth’s exit has apparently paved the way for Yahoo! to finally support DNT.

The struggling internet outfit sees things differently and described itself as a company that has “leadership in privacy innovation while continuing to create the free online service consumers demand”. And all that is thanks to those lovely advertising people, it added.

But the DNT move also comes after the US Feds gave online players a nudge earlier this week, when the FTC issued its final report on the “best practices” companies should put in place regarding the thirsty slurping of consumer data.

Lawmakers on that side of the Atlantic have warned that regulation could follow if the online ad giants don’t sort themselves out.

There have been tussles about how the DNT standard should be developed, and recently Microsoft has been touting a different technology – dubbed Tracking Selection Lists – that has led to a “task force” being assembled to work on that specification. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/yahoo_implements_do_not_track_tool/

Microsoft has somewhat controversially claimed that money mules are the ultimate victims of phishing emails, rather than the consumers or banks that cyber-crooks target in online banking scams.

Mules act as middlemen who receive funds from compromised bank accounts before sending the bulk of the cash overseas to the organisers of scams, who are often based in eastern Europe and unable to receive funds from compromised accounts directly.

Researchers at Microsoft argue it’s these mules – recipients of just a small commission for each fraudulent transfer – who are the real victim of account-takeover scams, not banks or innocent punters.

Whether they are witting or unwitting¹ accomplices to cybercrime, money mules are far more likely to be arrested, and when the dust settles, they’ll be out of pocket as banks reverse fraudulent transactions.

“Money mules are not merely unwitting accomplices, they are the true victims in credential theft fraud,” Cormac Herley and Dinei Florencio of Microsoft Research argue in a paper entitled Is Everything We Know About Password-Stealing Wrong? (abstract below) in the latest issue of IEEE Security and Privacy magazine.

Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions.

First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones.

This suggests that it is the mule accounts rather than those of victims that are pillaged.

We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.

The argument rests the premise that US consumers are indemnified from losses against their online banking accounts.

Mules fall within the reach of Western police forces – and banks are getting more efficient at detecting and reversing fraudulent transactions, a process that plunges mules’ accounts heavily into the red just after they have wired funds to fraudsters.

“The thief is really stealing from the mule, not the compromised account, though that fact does not become clear until the dust settles,” the researchers write.

The major problem with this argument is that the victims of phishing fraud are often small business owners. And, in the US at least, bosses are liable for losses on corporate accounts caused by cyber-fraud. Unlike consumers they don’t get refunded by banks. So a virus infection on a PC used to do the corporate accounts can mean hundreds of thousands of dollars siphoned out of a business.

Former Washington Post staffer turned security blogger Brian Krebs has chronicled dozens of cases of small businesses left bankrupt in just these circumstances, as can be seen in a archive of relevant stories on his site here.

Herley has become noted in security circles by questioning many aspects of conventional wisdom about information security. For example, he has probed the validity of cybercrime surveys and lambasted many aspects of current thinking on password best practices. This time however his provocative thinking seems to have strayed a little wide of the mark.

As well as painting mules as the ultimate victims of phishing scams, Herley and Florencio suggest that developing better back-end fraud detection or interfering with money mule recruitment is the best way to stamp out banking fraud. That’s certainly part of the picture but the researchers go on to describe the focus of banking authentication systems as misplaced, wrongly in El Reg‘s view. ®

Bootnote

¹Money mules range from cynically abused Down Syndrome individuals and innocents taken in by fraudulent work-at-home schemes (of the type chronicled by BobBear here) to willing accomplices, such as the Russian nationals involved in a ZeuS-powered cybercrime ring that was busted by the Feds two years ago. Three of the suspects in the latter case were Russian citizens who came to the US on student visas before allegedly using multiple forged passports to open bank accounts that received funds from compromised accounts.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/ms_money_mule_victims/

A bishop in Blighty has suggested that passages from the Bible can be used to create memorable but hard to crack passwords.

The Right Reverend James Langstaff urged his congregation to stop using pets’ name or stock phrases for login credentials in favour of passwords derived from passages in the New Testament.

“The Bible offers a life-long source of new passwords, that can include both upper and lower case letters and numbers to help create memorable, secure passwords,” the Bishop of Rochester explained, adding that holy passwords would help believers to recall passages from the Good Book.

The bishop suggests users derive their passwords by selecting their favourite passages, taking the first letter from each word in the quote, and appending the chapter and verse from which it is derived.

For instance: “Father, into your hands I commit my spirit” from Luke chapter 23 verse 46 would create the password FiyhIcmsL23V46.

Such a password would be far harder to randomly guess than most used today but perhaps not impossible. Passwords derived from Jules’ monologue in Pulp Fiction, for example, might be popular.

“If someone knew that you were an active Christian, they might twig that you’ll have chosen one of the more famous Bible quotes as the basis of your password,” argues Graham Cluley, a security consultant at Sophos. “You can also imagine that if the bishop’s password advice became popular, hackers would simply create a database of Bible quotes which they would use to break into your account.”

Even better security could be achieved by using a made-up phrase to derive a password, Cluley suggests.

In either case users should still use different passwords on different websites to guard against the possibility that a breach against one site won’t open up more sensitive accounts to attack. ®

Bootnote

The word “password” itself does not appear in the Bible, according to a not-exactly-conclusive search, which is perhaps just as well. Like most subjects the whole concept of secrecy can be either championed or lambasted by selective quotations from the bible.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/bishop_bible_password_tip/

NHS Oxfordshire is to put the medical records of around 545,000 people online in an effort to give healthcare professionals faster access to patients’ information.

The Oxfordshire care records programme will be made up of two parts: the national summary care record (SCR) and the local Oxfordshire care summary.

The cost of the Oxford care summary for 2011-12 and 2012-13 would be around £1m, a spokeswoman for the trust, which is part of the Buckinghamshire and Oxfordshire cluster, told Guardian Government Computing. The trust estimates that the SCR will cost in the region of £500,000 in total, with the expenditure shared between the primary care trust (PCT) and strategic health authority.

The SCR will hold a patient’s basic medical information held on the NHS Spine, while the Oxfordshire care summary will pull in a temporary view of a patient’s health information from separate health organisations across Oxfordshire so it can be accessed in one place, according to the PCT. The summary it creates will be a read-only record that can be accessed through an online portal.

“These secure electronic records will give healthcare professionals faster, easier access to reliable and accurate information about patients to help with their care, particularly in an emergency, or when seeing a doctor out-of-hours when the GP practice is closed,” the trust’s spokeswoman said.

“When a patient’s records are not available to doctors outside normal GP surgery hours, the Oxfordshire care summary will improve patient care especially in more complex cases where the GP record may hold vital information not otherwise available, such as blood test results or drug side effects.”

For the Oxfordshire care summary the trust plans to use a combination of an existing local system, named Casenotes, and a service that retrieves information called the Medical Interoperability Gateway (MIG), provided by Emis and INPS – the two main GP practice system suppliers in Oxfordshire.

A local development will be carried out to allow Casenotes to display information retrieved by the MIG from other systems. These will predominantly be GP practice systems to begin with.

Healthcare professionals with chip and pin NHS smartcards, who are directly involved in a patient’s treatment, will be able to access the SCR, while access to the Oxfordshire care summary will be limited to healthcare professionals who are employees of organisations caring for NHS patients in Oxfordshire. NHS Oxfordshire said health staff will have to asked a patient’s permission before their SCR can viewed.

“Control and monitoring of access to the data will be taken very seriously so we can assure patients that their information is only viewed when necessary for medical care. Unlike paper records, a detailed audit trail is generated every time a record is viewed,” the trust’s spokeswoman said.

At the start of April every patient registered at a GP practice in Oxfordshire aged 16 years and over will receive a letter outlining what care records are, and how the programme works. It will also give people the opportunity to opt-out. The creation of the SCRs for patients in the area is expected to start in August, with the rollout continuing until the end of April 2013. The Oxford care summary element of the programme has a launch date of early 2013.

In 2010, the government suspended the creation of the SCR in regions where it had planned for an accelerated implementation until more had been done to raise public awareness about the programme.

But in January 2011 the Department of Health (DH) confirmed that it had resumed sending “a small number” of SCR mailings to patients, and said it planned to fully resume the rollout at a later date. The DH followed this up by encouraging NHS organisations to get on with the creation of SCRs in October 2011.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/30/nhs_oxfordshire_patient_records/

Google may want to silently worm its way into everything people do online: but it’s now offering a tool that allows users of its services to see some of what Google sees about them.

The giant advertising company said in a blog post that it will now give users the opportunity to access detailed analysis of, for example, how much email they have sent and information about their top search queries.

Those interested in using the Account Activity tool will be required to opt-in to the feature. Google then sends out a monthly password-protected report that shows an individual’s logged-in usage of some of Mountain View’s vast online estate.

Google added that the tool would help users to monitor activity to make sure their accounts aren’t being compromised.

It said: “[I]f you notice sign-ins from countries where you haven’t been or devices you’ve never owned, you can change your password immediately and sign up for the extra level of security provided by 2-step verification.”

Google already offers its users similar products for monitoring their online activity – Google Dashboard and ad preferences manager – so it’s mildly surprising to see another feature added in this area.

The tool currently reports on Gmail, search and a few other Google services, but notably offers nothing on Google+ – the company’s social network.

It’s noteworthy that Google feels a user opt-in is required to receive the account activity report – generally a sign that a given service or offering could generate controversy. The company didn’t explain what it does with that report once it has been generated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/google_account_activity_tool/

Adobe has introduced an auto-updater for its Flash software packages that reduces the chore of updating the widely-used application by automating the process for all supported browsers on Windows machines. Previously users had to apply individual updates to Chrome, Firefox and IE add-ons and plug-ins, a process that often went neglected, leaving systems open to attack.

The auto-update tool was released on Wednesday alongside a cross-platform update that addresses two memory corruption-type vulnerabilities in versions 10 and 11, the currently-supported version of Flash. The update applies to all operating systems, Windows, Mac OS X, Linux and Android smartphones and is rated “priority 2” by Adobe, which means the “critical” vulnerabilities covered are yet to be weaponised into exploits or abused in malware but are still nasty and ought to be patched within the next month.

Users of Adobe on Windows, Macintosh and Android are also affected by the same set of bugs and also need to upgrade, as explained in a security alert by Adobe here.

Cloud-based security services firm Qualys welcomed the auto-updating feature as a big step forward for Adobe, whose update process has historically been a bit of a chore.

“The most interesting addition to this version of Flash is that Adobe included an automatic update feature,” writes Wolfgang Kandek, CTO of Qualys in a blog post. “If the user opts-in the player will in the future silently update all browsers on the system to the most current version of Flash. We highly recommend to opt-in, running on the latest version of Flash adds considerable resilience to one’s setup, plus it avoids the chore of updating all of your installed browsers by hand.”

Adobe “background updater” for Flash is Windows only, at least for now. More details on how the technology works are explained in a blog post by Adobe here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/adobe_flash_auto_update/

TV crypto company NDS says the BBC misled viewers in a Panorama investigation broadcast on Monday. The former Murdoch company, which was acquired by Cisco earlier this month, has released what it says are the original emails.

The Beeb alleged that NDS gave a “hacker honeypot” website named Thoic access codes that could be used in counterfeit smart cards to view channels offered by pay-TV firm ONdigital without paying for them. ONdigital, which folded in 2002, was a rival to the Murdoch empire’s Sky television business. It has been suggested that piracy of ONdigital’s content contributed to its downfall, benefiting Sky.

Monday’s BBC programme relied on fresh claims by former Thoic operator Lee Gibling and emails obtained from the hard drive of former London police commander Ray Adams, who was head of security at NDS in 2002. Gibling was retained by NDS as a paid informant.

Now NDS says that the BBC reversed the subject line (“4u”) and recipient line (“[email protected]”) to give the misleading impression that Adams was forwarding a link to the pirate website, rather than receiving one.

What the BBC broadcast

What NDS says was actually sent

In another email, the BBC omitted headers and formatting information that showed the message was an internal one between NDS employees forwarding an external Usenet posting.

What the BBC broadcast

What NDS says was actually sent

The emails were copied from Adams’ hard drive after he left NDS in 2002. In a press statement NDS said it is possible the messages were tampered with before Panorama obtained them – but it was the duty of the broadcaster to convey accurate information.

“The fact that you relied on manipulated email chains, without checking their authenticity with us prior to broadcast, demonstrates a flagrant disregard to the BBC’s broadcasting code, misleading viewers and inciting widespread misreporting,” said NDS.

The BBC is obliged by its charter to be impartial, even when reporting on business rivals like the Murdoch companies.

For its part, the Beeb issued a statement saying:

We stand by the Panorama investigation. We have received NDS’s correspondence and are aware of News Corp’s rejection of Panorama’s revelations. However, the emails shown in the programme were not manipulated, as NDS claims, and nothing in the correspondence undermines the evidence presented in the programme.

There are good reasons to think that ONdigital/ITV digital would have folded in 2002 even if there hadn’t been a single pirate smartcard able to access its channels. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/nds_emails/

Ukrainian cops have shut down a long-running malware exchange website frequented by old-school virus writers.

A message on the front page of the VX Heavens website announces that the site has been forced to shut up shop after the plods seized its servers last Friday as part of a criminal investigation. According to the shuttered site:

For many years we were tried hard to establish a reliable work of the site, which supplied you with a professional quality information on systems security and computer virology. We do always believed that a true research in any field (computer virology included) is only possible in the atmosphere of trust, openness and mutual assistance.

Unfortunately…

Friday, 23 March, the server has being seized by the police forces due to the criminal investigation (article 361-1 Criminal Code of Ukraine – the creation of the malicious programs with an intent to sell or spread them) based on someone’s tip-off on “placement into the free access malicious software designed for the unauthorised breaking into computers, automated systems, computer networks”.

The absurdity of such statement we need to prove in the court…

We are sorry, but until the case is still open we are unable to offer our services in any form.

VX Heavens, which bills itself as a vault of information, provided virus-writing tutorials as well as malicious code samples and other resources. The site had been running for many years prior to last week’s takedown operation.

The site was part of the old-school virus development scene and something of a throwback to days of old before profit-making Trojans dominated the malware landscape, according to anti-virus firms.

“The folks using the VX Heavens website were probably not in the same league as the financially-motivated organised criminals computer users are often troubled by today, and mirror rather more the hobbyist malware authors of yesteryear,” explained Graham Cluley in a post on the Sophos Naked Security blog.

“Nevertheless, it’s clear that the Ukrainian authorities didn’t like what they saw and have confiscated the website’s servers in their hunt for evidence of criminality. Let no one be under any illusions: malware creation and distribution of viral code has become a big concern for the-powers-that-be. It’s not a game anymore – if you play in this area, don’t be surprised if the authorities take a dim view,” Cluley added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/vxer_hub_takedown/