STE WILLIAMS

Forcepoint says it is aware of at least 1,000 sites using Magento’s e-commerce platform that have been recently compromised.

Cybercriminals are using brute-force password attacks to gain administrative access to sites using Magento’s open source e-commerce platform in order to steal credit card numbers and distribute cryptocurrency mining malware, Flashpoint warned this week.

In a report Monday, the security vendor said it is aware of at least 1,000 Magento sites that appear to have been recently compromised by attackers using common and default credentials to brute force their way into the content management system (CMS) admin panel. In many cases, their task appears to have been simplified by admins who had failed to change default credentials to the platform, Flashpoint said. According to the vendor, it is quite likely the 1,000 compromised panels that it is aware of are only a subset of a larger body of compromised Magento websites.

The attackers have been using their admin access to inject malicious code into the Magento system for accessing pages and for intercepting requests to the server involving payment card data. In many cases, they have also carried out other opportunistic attacks.

Vitali Kremez, director of research for Flashpoint, says the company obtained 1,000 compromised Magento CMS panels from a Russian-speaking criminal. The threat actor was able to procure access to the panels through brute-force attacks, he says. “The actor targeted several different sectors, including education and healthcare,” Kremez notes. “The IP addresses associated with the compromised panels map predominantly to Europe and the United States.”

He describes the types of compromised websites as ranging from small to midsize organizations that had installed the Magento CMS for e-commerce transactions. Online retail stores appear to have been the mostly heavily affected, followed by healthcare and education websites, Kremez says.

“The actors exploit and monetize their Magento panel accesses in three unique ways depending on [the] sites,” he says.

The favored way is to install JavaScript sniffers on the compromised site for scraping payment card data, which is then later sold on Dark Web stores. If the breached website does not yield payment card data, the attackers resort to uploading cryptocurrency mining tools such as Coinhive.

The third tactic is to use the compromised site to host code — typically a phony Adobe Flash Player update — which, if executed, results in a data-stealing malware tool dubbed AZORult being downloaded on computers belonging to site visitors. AZORult in turn downloads Rarog, a Coinhive cryptocurrency miner on the user’s system.

The attackers have shown a tendency to update the malicious files daily in order to avoid detection by signature-based anti-malware tools, according to Flashpoint.

The discovery of the 1,000 compromised Magento websites highlights the continuing attacker interest in the platform.

“Magento CMS panels are, by far, one of the most popular e-commerce panels developed for online transactions that are heavily targeted by cybercriminals,” Kremez says. Other common CMS platforms that are favored by cybercriminals, but to a lesser extent, include Powerfront and OpenCart CMS, he notes.

The recent rash of attacks is another reminder of the security risks posed by the use of default credentials by administrators. The attacks highlight the need for administrators to review the credentials that are being used to access the Magento CMS and to ensure and enforce password complexity requirements. Organizations should enable two-factor authentication for access to sensitive systems, databases, and applications, the security vendor said.

Related Content:

• Counter Attack: Control the Credentials, Control the Compromise

• Cybercriminals Employ ‘Driveby’ Cryptocurrency Mining

• Microsoft Report: User Account Attacks Jumped 300% Since 2016

• 7 Deadly Security Sins of Web Applications

 

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/criminals-targeting-magento-sites-with-brute-force-password-attacks/d/d-id/1331446?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A holiday weekend without a big data breach story!

Imagine that!

In your dreams, sadly – because in real life, the mainstream media in North America has been full of Easter news about a large-scale exposure of credit card data from Saks Fifth Avenue and other brands operated by Canadian retail giant Hudson’s Bay Company, or HBC for short.

A Dark Web monitoring company called Gemini Advisory announced the breach on 01 April 2018 (it wasn’t a joke) on Twitter:

Fin7 Syndicate Hacks Saks Fifth Avenue and Lord Taylor Stores geminiadvisory.io/fin7-syndicate…

—
Gemini Advisory (@geminiadvisory) April 01, 2018

Gemini Advisory itself is a bit of a mystery – there’s no address or phone number on the company’s website, and the Contact Us process is one of those mysterious web forms where you hand over your contact details and submit your query into the ether by clicking a [Send Message] button.

According to the company, it is:

Deeply embedded in the hacking underground, [where] our multilingual experts, who have years of experience consulting Fortune 100 companies, and federal law enforcement agencies, successfully conduct covert operations and provide ongoing support of cyber defense, threat intelligence, and fraud prevention teams.

Gemini Advisory’s claim in this data breach case is a bullish one, apparently based on an advert in an underground forum published by a crook going by the handle of JokerStash:

On March 28, 2018, a JokerStash hacking syndicate announced the release for sale of over five million stolen credit and debit cards. In co-operation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord Taylor stores. We estimate the window of compromise to be May 2017 to present. Based on the analysis of the available data, the entire network of Lord Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations. As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.

The breach was apparently dubbed BIGBADABOOM-2 (it’s not just bugs that have catchy names these days), and claimed to offer TR2+TR1 dumps of cards from dozens of different countries.

The mention of “track dumps” suggests that the stolen data derives from old-style swipe-card transactions, where the contents of the magnetic stripe data on your card is uploaded in its entirety from the card reader to the payment processing terminal, typically a Windows PC, for processing within the merchant’s network.

Chip and PIN transactions avoid that risk, but many US merchants still seem to prefer customers to swipe their cards even if they are chip-enabled – apparently the transactions are slightly faster if swiped rather than chipped, so both buyers and sellers seem to be happy to live in the past for the sake of a few seconds.

Thank you America. Could you please join us in the 21st century? There are 400 lb hackers out there https://t.co/cT6iUILLLU

—
Chester Wisniewski (@chetwisniewski) October 20, 2016

HBC doesn’t mention the breach on its Twitter feed or its own website, with its most recent press release dated nearly a month ago, trumpeting in shouty capitals that HUDSON’S BAY ANNOUNCES BRIAN GLUCKSTEIN AS NEW HOME DESIGN AMBASSADOR.

Saks Fifth Avenue, to its credit, has a link at the top of its main page entitled Important Message for Our Customers Regarding Payment Card Security Issue, but there’s still not a lot to go on there.

The company insists, three times, in fact, that:

We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.

The affected locations where data was harvested aren’t mentioned explicitly, with a blanket statement saying simply that “certain Saks Fifth Avenue, Saks OFF 5TH, and Lord Taylor stores in North America” were affected – suggesting that the breach affected multiple countries, as well as multiple stores.

What to do?

Saks Fifth Avenue insists – as in the infamous Target breach back in 2013 – that the breach involved in-store payments only, with no compromise of its online e-commerce network, suggesting that some sort of data-logging or RAM-scraping malware on cash registers might have been involved.

Chip and PIN helps to sidestep this sort of attack because your card data is never shoved into memory on the retailer’s network – at least some of the cryptographic processing required to authorise the transaction is done internally on the card itself.

We therefore recommend:

• Avoid shopping at stores where the merchant insists on you swiping your card when you want to do a chip payment instead.
• Watch your card statements carefully, so you can dispute unexpected transactions promptly.
• Consider requesting a new card from your financial institution if you have shopped at any of the above mentioned outlets in the past year.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LFqWjOHX3E0/

There’s a war of words going on at the moment between veteran cybercrime reporter Brian Krebs and US bakery chain Panera Bread.

Krebs recently wrote about a data leakage problem on Panera’s website, whereby crooks could supposedly tease out personal information about a Panera customers, without logging in themselves, by directly searching for likely terms in Panera’s online database.

For example, if you knew someone’s phone number, you could put in a search request and retrieve information that Panera happened to hold against that phone number.

In Krebs’s article, he gave an example where searching for a single company phone number retrieved data on numerous users, including username, email address and the last four credit card digits – presumably because multiple staff at a company located near one of Panera’s outlets had asked for deliveries to their place of work.

Worse still, attackers could apparently search by account ID, a numeric identifier that Krebs says may simply be incremented by one for each new user.

In other words, if you had a Panera account yourself and knew that your numeric ID was, say, 31337, then trying 31338, 31339 and so on might allow you to recover at least some personal information about other customers who first transacted at around the same time you did.

Of course, by trying thousands or hundreds of thousands of IDs in sequence you might, in theory at least, suck down data about hundreds or thousands of other active users.

Apparently, Panera has now moved the offending data out of harm’s way, but that’s where the war of words with Krebs kicks in.

Panera is on the record claiming that “[o]ur investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

Panera may very well be in a position to support a claim of this sort, assuming that it has server logs that reliably show which user records were accessed, and how, and assuming that the logs provide a complete and reliable record.

But Krebs thinks otherwise, saying that “[i]t is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.”

Indeed, Krebs concludes his piece with the claim that “[s]ubsequent links […] indicate that this data breach may be far larger than the 7 million customer records initially reported as exposed in this story. The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”

What to do?

Even if Krebs’s numbers are theoretical maxima and Panera’s figures turn out to be the real-life ones, there was still a breach here, and it could easily have been avoided.

So, if you have a searchable customer database that’s accessible online, ask yourself these three questions:

1. Does this data need to be online at all? If “no”, then take it offline immediately and permanently.
2. Does this data require a user to authenticate first? If “no”, then take it offline immediately until you’ve sorted out the login process.
3. Does this data correctly limit access to the current user? If “no”, then then take it offline immediately until you’ve sorted out proper access control.

Remember: if in doubt, really, really, REALLY don’t give it out, especially if it’s data about someone else.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rckhlas7nHs/

Hackers have compromised hundreds of e-commerce sites running the popular open-source Magento platform to scrape credit card numbers and install crypto-mining malware.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials, threat intel firm Flashpoint has warned.

Two years on, thousands of unpatched Magento shops still being carded

READ MORE

Flashpoint said it was aware of at least 1,000 compromised Magento admin panels. Attackers are also targeting other popular e-commerce-processing content management systems such as Powerfront CMS and OpenCarts.

Dark web forum chatter on how to launch the assaults has been ongoing since 2016.

Hacking insecure e-commerce sites has been turned into a cottage industry by black hats and dumbed down to suit the technically unskilled, Flashpoint noted.

“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.”

Once a hacker has control of the site’s Magento CMS admin panel, they can add any script they choose.

In one example tracked by Flashpoint, hackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

The same techniques are also being used in attacks geared towards slinging the Rarog cryptocurrency miner.

If you’re one of millions using Magento – stop whatever you’re doing and patch now

READ MORE

Most of the victims among the 1,000 compromised panels belong to firms in the education and healthcare industries, largely in the US and Europe.

Flashpoint is working with law enforcement to notify victims of breaches. The sites so far detected probably represent only a sliver of the total compromised, many of which have been hacked by making basic security mistakes.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by getting rid of weak passwords and enforcing two-factor authentication.

“Not changing the default credentials of a website CMS is like leaving the key on the outside of your front door,” commented Martijn Grooten‏, editor of industry journal Virus Bulletin and some-time security researcher. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/magento_brute_force_attack/

The massive budgets devoted to cybersecurity need to come with better metrics.

Why is so much of technology security such a mystery? In particular, why does it have so few metrics?

I get it. For any given company, if there hasn’t been a breach lately, it’s assumed that defenses must be working. But shouldn’t there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?

Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing. Last year, we saw the seventh continuous year of security budget increases, with a combined annual growth rate of 6% from 2010 to 2013, and 11% from 2014 to 2017.

Let’s bring up the bottom line here. Cybersecurity is not an IT issue. It’s a business conversation. In fact, it’s a business priority.

As a retired Major General of the U.S. Air Force with three decades of experience leading large-scale efforts to defend global networks, I’ve been at the intersection of big budgets and serious dangers to infrastructure security. I understand the complex and always-expanding challenges that security chiefs face. There are always new technologies featuring strange vulnerabilities, evolving threat vectors, and emerging cybercriminal operations with sophisticated tactics.

However, this doesn’t mean that cybersecurity initiatives should get a pass on the standards that every other department must meet. And for a long time, they’ve enjoyed exactly that freedom.

Sure, most organizations do make efforts to measure cybersecurity effectiveness, but not in terms of how it benefits the business. The SMI benchmark survey, which consulted 400 global business and security executives, found that 58% of respondents scored a “failing grade” when evaluating their organization’s efforts to measure their cybersecurity investments and performance against best practices.

Unlocking the Mysteries of Cybersecurity
Somehow, cybersecurity investments are seldom seen as business decisions. Rather, they are viewed as a kind of mysterious black box with contents that are a deeply held secret. Don’t ask too many questions, because it might jinx the process.  

So, what’s the answer here? How do we measure cybersecurity effectiveness like every other metrics-driven business unit? When I was CIO at US Transportation Command, I established an oversight committee to evaluate the business impact and risks associated with cybersecurity investments. The channel of communication from the security operations center to the CISO to the boardroom had a major impact.  

Most organizations still don’t apply business-related, risk-based metrics to their cybersecurity efforts. Those that do often measure the wrong things — for example, things that can’t be validated or represent only a snapshot in time. The key question to ask is: “Are we measuring the validity, value, and effectiveness of our cybersecurity controls?”

Traditional models of measuring cybersecurity effectiveness are siloed and fragmented; cybersecurity measures are managed across separate enterprise channels, and important data is underutilized. Cybersecurity for business needs to be holistic and intelligent while delivering actionable insights, so that resources are focused and prioritized based on associated risk.

For example, IT and networking shops have countless management layers in order to perform synthetic transactions, run Internet Control Message Protocol (ICMP), and answer questions about their environment: “Is my network up? Is it fast?” Capacity planning predicts how much disk space, CPU, and RAM is required based on trends. Why don’t we have processes like these for cybersecurity? Specifically, what are the technologies and processes we can implement to position cybersecurity as a metrics-driven business unit? I offer three possibilities.

Possibility 1: Elevate Security to the Highest Levels
Let executives from the boardroom on down be directly involved in management, with all the accountability that requires. The primary question is: “Are we acting appropriately regarding cybersecurity for our customers and our shareholders?”

An enterprise cannot determine how much risk to avoid, accept, mitigate, or transfer (via cyber insurance) without actionable metrics backed by empirical data. This happens when a CISO can compare and trend both subjective security data (such as internal assessments) and objective data points (such as automated monitoring). By contrast, legacy metrics like “time to patch” and “number of attacks stopped by the firewall” are static views. A true security posture can only be achieved through real-time automated assessments of the controls in place.

Possibility 2: An Automated and Proactive Defense
Organizations now face more pressure and more aggressive threats than ever before. Consequently, the defense strategy must be proactive and automated. For example, penetration testing results can be automated for continual (rather than periodic) evaluation.

Possibility 3: Visibility into Business Risk
Forget the mystery. Develop quantitative and measurable data to make wise security investment choices. Ideally, measure and communicate cyber-risk in financial terms, such as the probability and expected cost of security incidents based on current cyber-risk conditions.

None of this will be easy. But as the budgets continue to spike — even as the data breaches keep happening — we need to tie security to accountability. This is a business, and that makes business sense.

Related Content:

• Who Does What in Cybersecurity at the C-Level
• How Measuring Security for Risk ROI Can Empower CISOs
• SOC in Translation: 4 Common Phrases Why They Raise Flags

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Major General Earl Matthews USAF (Ret) is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead … View Full Bio

Article source: https://www.darkreading.com/operations/3-security-measures-that-can-actually-be-measured/a/d-id/1331419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Personal information exposed in plain text for months on Panerabread.com and the company’s response failed to rise to the challenge.

Panera Bread, the “fast casual” restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.

KrebsOnSecurity reported yesterday on a programming error on Panera’s website that left millions of customer records – names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards – exposed in plain text, to a casual search. That’s bad enough, but when the details of the error’s history began to come out, things got worse.

Dylan Houlihan, a security researcher, notified Panera on August 2, 2017 that the information was accessible. Initially, Panera’s IT team simply didn’t believe him. After additional correspondence, the company’s director of information technology told Houlihan that they had verified his findings and remediated the problem.

Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.

“The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place,” says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers’ names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.

After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.

“This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication.”

Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and reported by KrebsOnSecurity indicates that Panera may have been correct about the Houlihan number being off; Hold Security’s estimate for affected accounts is approximately 37 million.

“Panera’s handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end,” said Ben Johnson, CTO and co-founder of Obsidian Security in statement. “It is better to fix the problem than to race to the media with news of a purported fix. If there’s a silver lining here, it’s that we can have a new example how not to respond to a security leak.”

Related Content:

• Hudson’s Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
• Privacy: Do We Need a National Data Breach Disclosure Law?
• PCI SSC Announces Changes to Qualified Integrators and Resellers Program
• From DevOps to DevSecOps: Structuring Communication for Better Security

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/panera-bread-leaves-millions-of-customer-records-exposed-online/d/d-id/1331436?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

California burger chain In-N-Out Burger is not amused by YouTube prankster Cody Roeder, whose antics have included pretending to be the company’s CEO and telling a customer that their meal was “contaminated” and “garbage.”

Roeder films pranks for his YouTube channel, Troll Munchies. You can see his prior pranks on that channel – the picking up girls/embarrassing Mom prank, “hilarious fart vape pen” and the like – but the In-N-Out videos posted two weeks ago have since been made private, according to the BBC.

That’s likely because it’s gotten Roeder in a bit of a legal pickle. In-N-Out last week sought a restraining order against the prankster and his film crew. It also filed a lawsuit that claims that Roeder’s two recent pranks caused “significant and irreparable” harm to the chain. The suit seeks damages of more than $25,000.

CBS Los Angeles, which featured some footage taken of Roeder’s pranks in its own news coverage, says that early last month, Roeder put on a dark suit, walked into an In-N-Out in Van Nuys, and claimed to be their CEO.

“Hey, I’m your new CEO,” he said. “Just doing a little surprise visit.”

Some of the employees believed him, but the manager wasn’t convinced. She asked him to step away from behind the counter, as Roeder told employees he wanted a cheeseburger and fries for a taste test. He left after employees called police.

Roeder wasn’t done with the prank, though. The next day, he went to a Burbank In-N-Out, again claimed to be the new CEO, and this time demanded to talk to the manager about “contamination” of the food, saying:

All of this is unsanitary, most of this is dog meat. Sir, sir, I hate to say this… but your food is contaminated. This is just, it’s garbage.

He then told a customer that he needed to take his food. Then, he dropped the customer’s burger on the floor, said “It’s garbage,” and stepped on it.

Employees again told him to leave.

In-N-Out said in a statement that it won’t put up with people using the chain’s restaurants, employees and customers in their lust for social media fame:

These visitors have unfortunately used deceit, fraud, and trespass to their own advantage, and in each instance, they have attempted to humiliate, offend or otherwise make our customers or associates uncomfortable. We believe that we must act now and we will continue to take action in the future to protect our customers and associates from these disruptions.

This isn’t the first time that self-styled pranksters have gotten into serious trouble.

• In 2016, four members of the YouTube channel TrollStation – known then as the septic tank of prankster sites – were jailed for staging and filming fake robberies and kidnappings. Their aggressive and/or violent public antics have included trolls enacting brawls and smashing each other in the head with bottles made out of sugar.
• Last year, a couple in the US reportedly lost custody of two of their five children, whom they had filmed while screaming profanities at them, breaking their toys as a “prank” and blaming them for things they didn’t do. Some of the videos, posted to their DaddyOFive YouTube channel, showed the kids crying and being pushed, punched and slapped.
• In February, Australian YouTube prankster Luke Erwin was fined $1,200 for jumping off a 15-meter-high Brisbane bridge in the viral “silly salmon” stunt.
• US YouTube prankster Pedro Ruiz III was killed last year by his girlfriend and the mother of his children after insisting that she shoot a .50 caliber bullet through an encyclopedia he was holding in front of his chest. She’s now serving a 180-day jail term.

Can YouTube stop this madness?

YouTube is already making moves to regulate controversial videos. Last month, the site revealed that it’s planning to slap excerpts from Wikipedia and other websites onto pages containing videos about hoaxes and conspiracy theories, for one thing.

But prank videos? They’re click-gold, and that’s apparently helping to keep them from being regulated.

As Amelia Tait has described it for New Statesman, and as the YouTube channel Nerd City has made painfully clear, the enormously popular and insanely dangerous pranking culture shrugs off critics with catchphrases such as “it was a social experiment,” “block the haters,” and “It’s just a prank, bro.”

Both the quest for fame and the profit to be made off ads on these prankster videos are causing an arms race to the bottom as shock-jocks try ever harder, more dangerous, more violent and more illegal stunts.

These aren’t just pranks. These are videos in which people get hurt, or worse. Children get punched, tampons get coated in hot pepper, and their makers use the hashtag “funny”.

In-N-Out Burger, we’re with you. We aren’t laughing either.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jth5k1nA7ig/

Ad and JavaScript blocking is not enough to thwart privacy invasions by the likes of Facebook: more active countermeasures are needed.

The internet ought to “route around” known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. Just like enterprises and other large organizations set up honeypots and decoys to misdirect hackers’ attention, browsers and similar software should lure website operators into tar pits of useless and false personal information.

That’s according to Chad Loder, chief executive of Canadian security awareness training biz habitu8, and Rapid7 founder.

“In information security, we’re content to block nuisances, but with active adversaries, we take a more forward-leaning stance,” Loder said. “If we classify the Facebooks of the world as active adversaries, you’re going to see active countermeasures being incorporated into browsers.”

Isolate and bamboozle

Loder advocates the use of “active deception” in throwing off websites and ad networks that track people around the ‘net. These measures would include the automatic creation of fake profiles and identities to “isolate and bamboozle abusive sites,” effectively flooding their databases with garbage.

“We’ve been passive in this arms race so far, content to smugly proclaim ‘I don’t use Facebook’ – but the tide is about to change,” said Loder.

“If bots can be used to spread propaganda, bots can also be used to create an immune system-like response to isolate and envelop these abusive sites while they starve for resources. If bots can be used to spread disinformation, they can also be used to create a crowd within which to hide and stay anonymous.

“Most importantly, it’s much harder for the next Cambridge Analytica to abuse data that’s riddled with synthetic but plausible garbage.”

“It’s not impossible to have a browser plugin that creates ephemeral and synthetic identities, flooding known privacy ghettos with bad throwaway data while preserving your anonymity,” he added on Twitter. “If we can tar-pit spammers, we can tar-pit Facebook and Google from the browser.”

Stalked everywhere we go

The harvesting of personal data from millions of people’s Facebook profiles by Cambridge Analytica through its associates led to the trending #deleteFacebook campaign online.

However, deleting your FB account may not be enough. Third-party Facebook applications have gathered vast amounts of personal information from people’s accounts simply by inviting users to sign up for quizzes and games. Thousands of app owners and developers still have personal data slurped from millions of users, and it is not clear how and when they will use it, or if they have since deleted the records.

Meanwhile, internet users are tracked in multiple ways all day long: by search engines, advertisers, phone apps, and similar platforms, as well as crafty ISPs. You don’t need an account with a website to be stalked, and have ads targeted at you; various site operators build so-called shadow profiles of people as they click around the web, gathering databases of intelligence on folks.

“Any online platform that we use collects information about our behavior, location and so on,” said Marty Kamden, chief marketing officer of NordVPN. “Apps and platforms use cross-device tracking, where they build a consumer’s profile based on their activity throughout devices.

“Browsing history may be combined with physical location, retail purchases with watched TV programs, commute to work and so on.”

There are various tools to protect one’s privacy online, as Reg readers know. For example, there’s Disconnect Private Browsing: it blocks third-party cookies and prevents organizations such as Facebook, Google, and Twitter from tracking you around the internet against your wishes. Another option is Privacy Badger by the non-profit Electronic Frontier Foundation.

And the freshly released Facebook Container add-on helps Firefox users shield their web activity from Facebook.

Block and tackle

For Loder, this sandboxing of identities is a step in the right direction, although it doesn’t go far enough, in his opinion. He advocated the development of a browser plugin that not only blocks access to people’s real identities, but also automatically torpedoes badly behaved sites by feeding them garbage personal information.

Websites to be misled by the plugin would be selected from a crowd-sourced list. Loder batted away criticism that this mob-decided hit list could be gamed to swamp legit sites with fake data.

“There are plenty of cases where imperfect solutions provide the ‘greatest good for the greatest number’ – technically, Google’s Safe Browsing database can be abused, but the value far outweighs the potential for abuse,” he argued.

The greater good would be served by going after privacy abusers, Loder maintained.

“This is where the arms race starts to heat up: infosec starts treating abusers as more than a nuisance – they start treating them as an active adversary. The stance shifts from ‘block’ to ‘actively contain, deceive, and interdict’,” Loder concluded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/facebook_active_countermeasures/

Google will throw cryptocurrency-mining extensions out of its Chrome Web Store after finding so many were badly behaved.

From Monday, no more add-ons that churn out fun bucks will be added to the cyber-store’s shelves, and by July, those listed in the code bazaar will be removed.

The ads giant allowed plugins onto the browser’s software souk if their sole purpose was crafting alt-coins, which are invariably based on blockchain technology, and netizens are made aware of these mining operations.

Now the Mountain View biz is sick of it all: according to Google, “90 per cent of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

Good news, everyone: Ransomware declining. Bad news: Miscreants are turning to crypto-mining on infected PCs

READ MORE

“Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency,” said Googler James Wagner, Chrome’s extensions platform product manager.

“Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June. Extensions with blockchain-related purposes other than mining will continue to be permitted in the Web Store.”

Cynically minded folks will exhibit no surprise at an online advertising goliath canning crypto-mining, a non-advertising form of online revenue. However, alt-coin-generating scripts are getting a deserved bad rap. They hog CPU performance to pocket pennies, are neutralized by antivirus and ad blockers, and are often injected into webpages by hackers in so-called crypto-jacking attacks.

They are arguably the internet’s bête noire of the late 2010s, right behind Facebook. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/02/google_chrome_cryptomining/

The infamous Carbanak/FIN7 cybercrime syndicate breached Saks and Lord Taylor and is now selling some of the stolen credit card accounts on the Dark Web.

An infamous cybercrime group hacked and purloined some 5 million credit card numbers from Hudson’s Bay brands Saks Fifth Avenue, Saks Off 5th, and Lord Taylor in a massive retail data breach disclosed over the weekend.

In a Sunday advertisement on the Dark Web, 125,000 of the stolen credit card accounts were offered for sale on the Dark Web. The breach was first disclosed in a blog post by security analysts at Gemini Advisory, revealing that the entire network of Lord Taylor stores, 83 Saks Fifth Avenue stores, and an unknown number of Saks Off Fifth stores were compromised by malware that breached the point-of-sale system in each location.

“The length of the breach says a lot about the methodology,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. He explains that the breach, which Gemini Advisory says occurred from May 2017 until the time of the announcement, is characteristic of an attack that compromises the PoS and captures credit-card transaction data and metadata, exfiltrating the data over time.

This long-term compromise of the PoS system is also a characteristic of the Carbanak cybercrime gang aka JokerStash aka FIN7, based on their previous attacks. It’s the same cybercrime gang behind breaches at Whole Foods, Chipotle, and Jason’s Deli (among other hospitality companies), and typically employs the long-lasting data skim method.

 

“With thousands of devices spread across hundreds of stores, it can be very difficult for retailers to secure their entire networks. All it takes is for one point-of-sale device or router to be left un-patched for an entire company to be compromised,” Peter Martini, president and co-founder of iboss, said in a statement.

While no details have been released on precisely how many PoS terminals were compromised, Gemini Advisory says that the majority of credit cards affected were used in New York and New Jersey stores. And some experts see that limited geography as a tool in figuring out how long the attack has been in operation.

“While locale-specific attacks like these aren’t uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection,” says Terry Ray, CTO of Imperva.

According to Ray, multiplying known factors such as number of locations, average number of customers per day, and number of customers using credit cards lead to the conclusion that this malware infection could have been present for as many as 500 days.

Faster Response

The duration of the attack is something that a number of analysts have targeted as an example of an area of enterprise security that organizations should work to improve.

“People need to understand that breaches will happen. It’s flawed to think that a prevention system alone will be so strong that you never have to deal with detection inside the network,” says Juniper’s Hahad. He says that deficiencies in detection can lead to the worst sort of situation for a company, in which a third party recognizes and alerts you to the existence of a compromise.

Announcement of the breach comes on the heels of the announced arrest of the gang’s leader in Spain. While some in law enforcement had hope that the arrest of the yet-unnamed individual might lead to a pause or slowdown in the Carbanak group’s activity, the advertised sale of credit card numbers would seem to indicate just the opposite.

In a statement posted online, Saks Fifth Avenue says that the owners of any credit card numbers impacted by the breach will be notified and offered free credit reporting services.

Related Content:

• A Look at Cybercrime’s Banal Nature
• Visa: EMV Cards Drove 70% Decline in Fraud
• Russian Hackers Sentenced in Heartland Payment Systems Breach Case
• 8 Security Spring Cleaning Tips for the Home Office

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hudsons-bay-brands-hacked-5-million-credit-card-accounts-stolen/d/d-id/1331431?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple