Hacking & Security

Comcast's open Wi-Fi hotspots inject ads into your browser

InfoWorld.com [Security] - 9 Září, 2014 - 17:09

Comcast is giving users a very good reason to demand an HTTPS connection on every site they visit. The Internet service provider has started injecting ads for its services on websites where you wouldn't normally see them when you're using an Xfinity public Wi-Fi hotspot.

Kategorie: Hacking & Security

Salesforce.com warns customers of malware attack

InfoWorld.com [Security] - 9 Září, 2014 - 16:48

Salesforce.com users are being targeted by a new version of a computer Trojan that has typically attacked online banking customers until now.

The malware threat is called Dyre or Dyreza and came to light in June. Like most online banking Trojans, it hooks the browser process to capture log-in credentials entered by users on websites belonging to financial institutions.

Kategorie: Hacking & Security

Salesforce.com warns customers of malware attack

InfoWorld.com [Security] - 9 Září, 2014 - 16:48

Salesforce.com users are being targeted by a new version of a computer Trojan that has typically attacked online banking customers until now.

The malware threat is called Dyre or Dyreza and came to light in June. Like most online banking Trojans, it hooks the browser process to capture log-in credentials entered by users on websites belonging to financial institutions.

Kategorie: Hacking & Security

What you need to know about the Home Depot data breach

InfoWorld.com [Security] - 9 Září, 2014 - 16:32

On Monday, Home Depot issued a public confirmation to reports that they had experienced a data breach impacting debit and credit cards.

They're the world's largest home improvement retailer, operating 2,266 stores in the U.S., as well as 10 Canadian provinces, so news that they were the next big business to be targeted by payment system malware caused immediate comparisons to the Target breach.

Kategorie: Hacking & Security

What you need to know about the Home Depot data breach

InfoWorld.com [Security] - 9 Září, 2014 - 16:32

On Monday, Home Depot issued a public confirmation to reports that they had experienced a data breach impacting debit and credit cards.

They're the world's largest home improvement retailer, operating 2,266 stores in the U.S., as well as 10 Canadian provinces, so news that they were the next big business to be targeted by payment system malware caused immediate comparisons to the Target breach.

Kategorie: Hacking & Security

5 Nigerian gangs and their US accomplices are behind most Craigslist buyer scams

Sophos Naked Security - 9 Září, 2014 - 14:59
Research has found a new, more profitable twist on the same old 419 advance fee fraud scam. It involves real checks, printed on real check paper, using real routing numbers, and being handled with lots of US accomplices to cover up the Nigerians' tracks.

More 1024-Bit Certificates to Be Deprecated in Firefox

Threatpost - 9 Září, 2014 - 14:37
When Mozilla released Firefox 32 last week, the company removed several root certificates from the trust store for the browser. The move wasn’t because the certificates were fraudulent or the CAs that issued them were compromised, but because the certificates use 1024-bit keys. This is the first step in a process that Mozilla officials say […]
Kategorie: Hacking & Security

Google ‘Sunsetting’ Weak SHA-1 Crypto Algorithm

Threatpost - 9 Září, 2014 - 14:26
Google has initiated a process to revoke trust from any certificates that rely on the outdated SHA-1crytpographic hash algorithm.
Kategorie: Hacking & Security

Russia Versus Wall Street: The JPMorgan Attack

InfoSec Institute Resources - 9 Září, 2014 - 14:15

JPMorgan Chase is the largest bank in the United States, with total assets of over $2.5 trillion. They reportedly spend about $250 million per year on technical security, or one dollar for every $10,000 they have in assets. They also employ more information security professionals than Google does, about a [...]

The post Russia Versus Wall Street: The JPMorgan Attack appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Clickjacking, Strokejacking or UI Redress

InfoSec Institute Resources - 9 Září, 2014 - 14:00

Introduction Clickjacking was first publicized by Jeremiah Grossman and Robert “Rsnake” Hansen in 2008. Clickjacking is an attack that is possible only by the use of iframes. Iframes are the HTML components that are used to load a webpage in a frame. Their height and width can be set to [...]

The post Clickjacking, Strokejacking or UI Redress appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Home Depot says, "Er, yes, we did have a breach actually"‏

Sophos Naked Security - 9 Září, 2014 - 13:49
Just how big and bad it will turn out to be is still unknown...all we know so far is that Home Depot has officially confirmed that, yes, there was indeed a breach.

Tech industry groups ask U.S. Senate to 'swiftly pass' NSA curbs

InfoWorld.com [Security] - 9 Září, 2014 - 13:27

Tech industry organizations have written a letter to leaders in the U.S. Senate, to ask them to swiftly pass the USA Freedom Act, legislation that is expected to end the collection of bulk domestic phone data by the National Security Agency.

Kategorie: Hacking & Security

Tech industry groups ask U.S. Senate to 'swiftly pass' NSA curbs

InfoWorld.com [Security] - 9 Září, 2014 - 13:27

Tech industry organizations have written a letter to leaders in the U.S. Senate, to ask them to swiftly pass the USA Freedom Act, legislation that is expected to end the collection of bulk domestic phone data by the National Security Agency.

Kategorie: Hacking & Security

OpenSSL warns vendors against using vulnerability info for marketing

LinuxSecurity.com - 9 Září, 2014 - 11:53
LinuxSecurity.com: Security advisories for OpenSSL should not be used for competitive advantage, according to the development project behind the widely used cryptography component.
Kategorie: Hacking & Security

Google 'Sunsetting' Weak SHA-1 Crypto Algorithm

LinuxSecurity.com - 9 Září, 2014 - 11:51
LinuxSecurity.com: Google announced Friday it will begin the process of phasing out the obsolete SHA-1 cryptographic hash algorithm with the upcoming release of version 39 of the company's Chrome browser in November.
Kategorie: Hacking & Security

In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud

Krebs on Security - 9 Září, 2014 - 05:26

Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.

The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores. But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.

Experts say the thieves who are perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.

Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).

This is especially helpful for fraudsters since most Home Depot transactions are likely to occur in the same or nearby ZIP code as the cardholder. The ZIP code data of the store is important because it allows the bad guys to quickly and more accurately locate the Social Security number and date of birth of cardholders using criminal services in the underground that sell this information.

Why do the thieves need Social Security and date of birth information? Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:

-the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card;
-the card’s expiration date;
-the customer’s date of birth;
-the last four digits of the customer’s Social Security number.

On Thursday, I spoke with a fraud fighter at a bank in New England that experienced more than $25,000 in PIN debit fraud at ATMs in Canada. The bank employee said thieves were able to change the PINs on the cards using the bank’s automated VRU system. In this attack, the fraudsters were calling from disposable, prepaid Magic Jack telephone numbers, and they did not have the Cv2 for each card. But they were able to supply the other three data points.

KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot. The manager said the bad guys called the customer service folks at the bank and provided the last four of each cardholder’s Social Security number, date of birth, and the expiration date on the card. And, as with the bank in New England, that was enough information for the bank to reset the customer’s PIN.

The fraud manager said the scammers in this case also told the customer service people they were traveling in Italy, which made two things possible: It raised the withdrawal limits on the debit cards and allowed thieves to withdraw $300,000 in cash from Italian ATMs in the span of less than 120 minutes.

One way that banks can decrease the incidence of PIN reset fraud is to require that callers supply all of the requested information accurately, and indeed the bank employee I heard from in New England said a nearby financial institution she’d contacted that used the same VRU system saw its PIN fraud drop to zero when it began requiring that all questions be correctly answered. The bank on the West Coast that I interviewed also said it had already begun requiring all five elements before processing PIN changes on any cards that have been used at Home Depot since April.

Still, some of the world’s largest banks have begun moving away from so-called knowledge-based authentication for their VRU systems toward more robust technologies, such as voice biometrics and phone printing, said Avivah Litan, a fraud analyst with Gartner Inc.

“We saw this same activity in the wake of the breach at Target, where the thieves would call in and use the VRUs to check balances, remove blocks on cards, get the payment history and of course change PINs,” Litan said.

Voice biometric technologies create an index of voice fingerprints both for customers and various fraudsters who conduct VRU fraud, but Litan said fraudsters often will use voice synthesizers to defeat this layer of detection.

Phone printing profiles good and bad callers alike, building fingerprints based on dozens of call characteristics, including packet loss, dropped frames, noise, call clarity, phone type and a host of other far more geeky concepts (e.g., “quantization,” and “taggers“).

ANALYSIS

The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is remarkable, and suggests that most banks remain clueless or willfully blind to the sophistication of identity theft services offered in the cybercrime underground. I know of at least two very popular and long-running cybercrime stores that sell this information for a few dollars apiece. One of them even advertises the sale of this information on more than 300 million Americans.

Banks are long overdue to move away from knowledge-based authentication. Forget about the fact that most major providers of these services have been shown to be compromised in the past year by the very crooks selling Social Security numbers and other data to identity thieves: The sad truth is that today’s cybercriminals are more likely to know the correct answers to these questions than you are.

I bring this up mainly because Home Depot is, predictably, offering credit monitoring services to affected customers (which, given the length of this breach is likely to impact a significant chunk of the American population). Credit and debit card fraud is annoying and inconvenient and can be at least temporarily expensive for victims, but as long as you are keeping a close eye on your monthly statements and reporting any unauthorized charges immediately, you will not be on the hook for those charges.

Please note that credit monitoring services will not help with this task, as they are not designed to look for fraud on existing accounts tied to your name and personal information. As I’ve noted in several stories, credit monitoring services are of dubious value because although they may alert you when thieves open new lines of credit in your name, those services do not prevent that activity. The one thing these services are good for is in helping identity theft victims clean up the mess and repair their good name.

However, given the fact that your Social Security number, date of birth and every possible answer to all of these knowledge-based authentication questions can be had for $25 in order to establish new lines of credit in your name, it makes good sense for people to avail themselves of free credit monitoring services. But there is little reason to pay for these services. If you don’t already have a credit monitoring service for free then maybe you haven’t been paying close enough attention to the dozens of companies over the past year that have likely lost your data in a breach and are already offering these services for free.

For more information about the benefits and limits of credit monitoring services — as well as other helpful tips to proactively safeguard your credit file — see this story.

More information, including an FAQ about the breach, released by Home Depot is available at this link.

Kategorie: Hacking & Security

Teen's open Facebook invite leads to 500 unexpected gatecrashers

Sophos Naked Security - 9 Září, 2014 - 02:49
Maybe there's a better way to impress a girl than hosting a party where she invites all her gazillion Facebook friends to trash your mum's house.

Home Depot Confirms Breach, Transactions From April On At Risk

Threatpost - 9 Září, 2014 - 01:23
Home Depot finally confirmed its payment systems have been breached, but offered little further on whether customer personal data was stolen.
Kategorie: Hacking & Security

Home Depot confirms breach of its payment systems

InfoWorld.com [Security] - 9 Září, 2014 - 01:18

Home Depot said Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the United States and Canada since April.

There's no evidence yet that debit card PIN numbers had been compromised, the company said, though it was still figuring out the scope and scale of the attacks.

Kategorie: Hacking & Security

Home Depot confirms breach of its payment systems

InfoWorld.com [Security] - 9 Září, 2014 - 01:18

Home Depot said Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the United States and Canada since April.

There's no evidence yet that debit card PIN numbers had been compromised, the company said, though it was still figuring out the scope and scale of the attacks.

Kategorie: Hacking & Security
Syndikovat obsah