Monthly Archives: August 2013

Apple’s iPhone Trade-in Program Is Already Being Piloted, Here’s How It Works

Apple is about to introduce an iPhone trade-in program that will allow users to walk into a Retail store and trade up from an old model to a new one. We’ve heard some interesting details about the way that the program will work, and indeed, is working right now in some pilot Apple Stores.

The program, has gotten a bit of press today, with Macrumors‘ Eric Slivka reporting that the training for the program is underway and Mark Gurman of 9to5Mac quoting a start date sometime in September.

But the trade-in program is actually already being piloted in some Apple stores, we’ve discovered. Those stores aren’t just preparing internally for an eventual program, they’ve been offering trade-ins to customers for several weeks. According to a source, this program was presented to them as something that may not be available at every Retail Store.  Some of these pilot stores have been processing ‘multiple’ trade-ins a day at this point.

The program works like this. A customer brings a working, non-liquid-damaged iPhone into an Apple Retail Store. It’s then evaluated by an employee with Apple’s EasyPay terminals, which are essentially iPod touches with credit card readers attached. The customer then answers a series of questions about the condition of the device in order to determine a value.

This procedure is similar to the way that Apple handles its iPhone recycling program now, but that is by mail only, covers a wide variety of products and is not offered in-store. If a customer wishes to trade in an old broken device for which there is no monetary value, they can do so as a simple recycle.

Values can range depending on a variety of factors, including device color, physical damage and liquid damage. Though the prices could very well be tweaked before the program goes wide, the range is said to be around $120-200 for 16GB iPhone 4 and 4S models. A 16GB iPhone 5 in good condition could go for around $250,  less than is being offered by some of the other trade-in sites like GazelleGlyde or NextWorth.

Still the in-store convenience of the program could definitely offer the advantage here. Being able to walk in and get the deal done instead of mailing it off and waiting is powerful.

Once the paperwork is done, the value is added to a gift card. The balance is applied to a new device, and the customer keeps the gift card if there’s money left over. The store keeps the old phone. The trade-in program is only applicable if you’re in the store to get a new phone, so you can’t just trade it for a gift card.

That value can be used in credit for a new device but only if the customer has an upgrade credit available. So there is a carrier check involved. If a user does not have an upgrade credit, they could presumably pay the early termination fee of their carrier and use the credit towards a new device on another carrier.

Currently, the devices are dropped into a bag and presumably shipped off elsewhere, likely emerging markets, for refurbishment and resale. They are not resold at the store where the trade-ins are being offered. So far, customers have been pretty excited that this option is now available at Apple Retail stores.

Obviously, this is how the pilot program is working, there could be some details that change between now and when it’s set to go live. We’ll let you know if anything material changes. We’ve reached out to Apple for comment on the new program, but have not heard back.

Via: techcrunch

Amazon Web Services Suffer Second Outage in Seven Days

‘It appears that roughly once a quarter Amazon servers suffer glitches or problems and major websites go down. It’s starting to become a problem for Amazon and the companies that rely on Amazon to host their sites, like Netflix. It’s not clear what they can do about it except put pressure on Amazon,” said Sterling Market Intelligence analyst Greg Sterling.

For the second time in a week, Amazon Web Services (AWS) went down again. I repeat: Amazon Web Services went down again. The service had yet another glitch on Sunday that reportedly took some big names down with it.

According to the Wall Street Journal, prominent websites and apps, including Airbnb, Facebook’s Instagram, Twitter’s Vine, all suffered outages. These apps have one thing in common: they all tap into Amazon’s cloud -based network, known as Elastic Compute Cloud (EC2).

“We know many of you are having trouble loading Instagram. We identified the issue and are working to fix it ASAP,” Instagram posted on its Twitter feed. The BBC is reporting that the problems for U.S. consumers started around 4 p.m. ET and lasted for several hours with intermittent outages.

The Cost of Outages

Amazon could not immediately be reached for comment. During the outage, the company said it was investigating problems at its Virginia data center . According to the BBC, the problems were related to databases and the code controlling the core computers underlying AWS.

Amazon finally attributed the outages to a “partial failure of a networking device .” Specifically, Amazon said the problem caused poor service in some Elastic Block Store (EBS) storage volumes, which led to some APIs (application programming interfaces) throwing errors.

“The networking device was removed from service, and we are performing a forensic investigation to understand how it failed,” AWS said. “We are continuing to work on a small number of instances and volumes that require additional maintenance before they return to normal performance.”

That’s more than Amazon offered after last week’s outage. A week ago Monday, AWS suffered an estimated 25-minute outage that could cost the e-commerce giant millions of dollars in lost sales. But it could also hurt the company’s reputation, which could be more costly in the long term, especially considering that it’s an ongoing issue. This e-tailer also saw outage issues with its Amazon Web Services in January, when it was down for 49 minutes.

Will Brands Pressure Amazon?

We caught up with Greg Sterling, principal analyst at Sterling Market Intelligence, to get his take on the Amazon outages. He told us the e-commerce giant is starting to see downtime with some regularity.

In fact, he pointed out a pattern: It appears that roughly once a quarter Amazon servers suffer glitches or problems and major websites go down.

“With web hosting there are always going to be occasional issues. But it’s starting to become a problem for Amazon and the companies that rely on Amazon to host their sites, like Netflix,” Sterling said.

“It’s not clear, however, what they can do about it except put pressure on Amazon. It’s up to Netflix, Facebook and Twitter to put pressure on Amazon to minimize these occurrences with additional infrastructure support and redundancy,” he added.

Via: enterprise-security-today

The Time Warner Cable TV App For Xbox 360 Is Now Available, With Access To 300 Channels

The TWC TV app for Xbox Live, which was announced back in June, is now available for download from the Xbox Live Marketplace. Microsoft’s partnership with Time Warner Cable is a significant part of its efforts to position the Xbox 360 as the definitive one-stop solution for TV and movie streaming, and demonstrates the company’s continuing commitment to the console even as it prepares for the Xbox One’s launch later this year.

Now available to viewers with an existing Time Warner Cable subscription in the U.S. as well as an Xbox Live Gold membership, the TWC TV app will allow users to access up to 300 TV channels, including AMC, BBC World News, Bravo, the Cartoon Network, CNN, Comedy Central and the Food Network, depending on their specific subscription. It also enables users to navigate through TV shows, music and movies using voice and gesture control through the Kinect peripheral.

Xbox 360 owners already have access to apps from content providers including Netflix, Hulu Plus and Amazon Instant Video, as well as streaming live TV through networks like HBO GO, Fox News, NBC News, MTV and Nickelodeon.

Microsoft’s efforts to take its Xbox consoles beyond gaming will continue with the Xbox One, which already has a partnership with the NFL for exclusive content and fantasy football integration, and will also feature access to an exclusive TV series based on the Halo video game franchise that will be directed by Steven Spielberg.

Though the Xbox’s move away from its original gaming base stirred up controversy, it underscores how important streaming video is for tech companies as they compete to take over the living rooms of customers. Earlier this month, for example, Apple’s purchase of video recommendation site Matcha.tv was disclosed, a move that is in line with the company’s recent efforts to add new content and channels to Apple TV. Nintendo’s Wii U added access to Hulu Plus last year, while Google’s $35 Chromecast HDMI dongle works with apps like Netflix, YouTube and Google Play Movies and TV.

Via: techcrunch

EXIT strategy: Insider threat

Threats from inside an organization – and from third-parties – pose a burgeoning challenge for security professionals.

Bo Zhang, a 32-year-old programmer from Queens, N.Y., worked as a contractor for the Federal Reserve Bank of New York and moonlighted with a sideline IT business. But Zhang’s plans ended when the FBI arrested the Chinese national on charges of stealing source code – used to track payment and collections made by federal agencies – from his bank job. Zhang intended to use it as a training tool for his side venture.

Zhang’s actions are typical of what have of late become a common occurrence – and a challenging security problem in today’s enterprise security architecture: the insider threat.

Eric Chiu, president and founder of HyTrust, a Mountainview, Calif.-based cloud infrastructure control company, says the risk from inside is one of the greatest security challenges for today’s CIO. According to his company’s research, 43 percent of security breaches are due to trusted insiders.

Chiu says the risk posed by insiders – or what he deems “privileged users,” which intimates that an insider is not necessarily a direct employee – are real and on the rise. “The drivers are diverse and can range from malicious intent, potential profit, accidental and socially engineered,” he says. “However, the consequences are huge, whether you are talking about theft of confidential information, financial data, such as credit cards, or someone taking down the data center of a large enterprise.”

Alan Brill, senior managing director of Kroll Advisory Solutions, based in Secaucus N.J., agrees that the definition of just who might be considered an insider has evolved. “Historically, it was easy,” he says. “Insiders were your employees, and everyone else was an outsider. But today, exactly who is an insider?”

Is it the employee on premises, he asks, or a contractor employed by an outsourced call center that’s 7,000 miles away who accesses the company’s sensitive information stored on a cloud server operated by another third-party contractor? Is it the driver of the delivery service that picks up the company’s backup media and takes it to a storage facility? Is it the programmer at a vendor who provides the analytical package the company use through a SaaS interface? “They all have some level of authorized non-public access to your data,” Brill says. “And for these people, what degree of control do you exercise? Do you know the background checks or activity monitoring that the companies you entrust with your data actually do as part of their security protocols?”

For many global enterprises, identifying and understanding the inside threat involves mapping what Brill calls the “insider ecosystem.” Until a firm recognizes that scenario, he says it does not have a good basis for assessing its risk or determining the right course of action to control the threat.

Few industries are exempt from insider threats, but some do present more risk than others. Those markets where the underlying information is an integral and key asset of the company are at greater vulnerability, says C. Kelly Bissell, principal and U.S. information and technology risk management leader at Deloitte & Touche in Atlanta. “It always depends on specific exposures and situations of the insider,” says Bissell. “Theft is rampant across all industries, but certain ones have more valuable data to steal.” Most of the valuable data sits in banking, pharmaceutical, government and high-tech manufacturing, he says.

Via: scmagazine

Beyond the checkbox: PCI DSS

An upcoming update of a credit card standard offers an opportunity to assess overall security, says Symcor’s Della Shea.

For any organization that wants to do business without using cash, the Payment Card Industry Data Security Standard (PCI DSS) is akin to table stakes: It’s both a contractual agreement with card issuers and a guarantee of security to customers. Complying with its 12 principles is not an option for those who store, transmit and/or process cardholder data, and remaining compliant means keeping pace with the standard as it evolves to reflect emerging security concerns. Introduced by the world’s five leading card companies in December 2004, and managed by the PCI Security Standards Council (PCI SSC), the standard is updated every three years after extensive consultation with a wide range of players.

On the eve of a new version of the PCI DSS – set to be released on Nov. 7, and take effect Jan. 1 – many eyes are on the card industry to see what changes the new standard will bring. In advance of the release, those in the know are guarding the specifics, but in general terms it is anticipated to address issues of what falls within the scope of the standard, as well as network segmentation (i.e., where cardholder data resides within network devices), and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.

In some quarters, interest in the new release reflects concerns that the revised standard will add to the burden of compliance. After all, even the PCI SSC admits that understanding and implementing the dozen requirements, with their hundreds of sub-categories, can be daunting, especially for merchants without a large IT department or the resources to outsource compliance guarantees to a qualified security assessor (QSA) that the council has approved. Meanwhile, some skeptics question the continued relevance of the standard in the face of new technologies, such as tokenization, point-to-point encryption and chip cards. Still others are far more optimistic, like Della Shea, chief privacy officer for Symcor, a Toronto-based financial processing company owned by Canada’s largest three banks – sees the new release as an opportunity to refocus on overall security.

Shea is one of a number of observers who believes that companies have placed too much emphasis on merely meeting the minimum requirements set out in the 12 steps.

“We need to get back to the original spirit of the PCI DSS,” she says. “Too often, companies take a ‘checkbox’ approach and just try to be compliant for its own sake. They’re missing the larger picture.”

Bob Russo, general manager of the PCI SSC, likens compliance to putting deadbolts on your house: You can install the locks to qualify for home insurance, he says, but how secure is your home if you don’t use them? “PCI standards are just a springboard to overall security for organizations entrusted with cardholder data,” he says.

Craig Spiezle, executive director and president of the Online Trust Alliance, a Bellevue, Wash.-based nonprofit whose goal is to promote innovation in online transactions, agrees. “Compliance is just a slice in time, a minimum threshold,” he says.

Shea, whose company provides services to more than 100 clients in the retail, banking and telecommunications sectors, says that if meeting PCI compliance can be compared to climbing Mount Everest, maintaining compliance is like living on the mountain. One mistake that many companies make, she says, is viewing compliance as merely a technical issue. That approach can be expensive and limiting.

“You need to take a business approach to compliance,” she says. “That means you need to have a business model, you have to fully understand it and you must be able to replicate whatever success you achieve.”

An enterprise-wide approach is critical, she adds. “You can’t maintain PCI compliance unless all your stakeholders are completely onboard. It’s very easy to separate issues into silos rather than sharing information and creating a common compliance culture.”

And, creating that culture throughout an organization demands strong and effective operational and governance models, she says, espousing some sound business basics that are often preached within corporations. Her ideal approach to compliance management begins with having key milestones and a dedicated budget. Next, it requires that someone maintains overall responsibility and follows through with a program of education, communication and proven change management principles.

Given the high stakes involved in handling consumer card data, failure is not an option, she says. “The goal of achieving and maintaining security in this environment forces you to be pragmatic.”

Via: scmagazine

Secret U.S. cyber actions exposed by Snowden leaks demand much larger debate

In April 2009, Gen. Keith Alexander, director of the National Security Agency, took the stage at the annual RSA Conference in San Francisco for a keynote address. He told the crowd of thousands: “The NSA does not want to run cyber security for the government.”

Instead, he said, the job of protecting U.S. infrastructure is a shared responsibility, falling into hands of government agencies such as the Department of Homeland Security, as well as private sector companies and colleges and universities. “The government is here to protect the country from adversaries,” Alexander explained. “The NSA can offer technology assistance to team members. That’s our role.”

Alexander wasn’t lying, but he wasn’t exactly telling the truth either, as leaks from former NSA contractor and whistleblower Edward Snowden have revealed. The NSA never wanted to be in the cyber defense game, but it very much was gearing up, as we now know, for offensive digital missions.

Two months after that RSA address, the U.S. Cyber Command was formed, described as a new armed collaborative for protecting Department of Defense Networks. Not long after, Alexander was tapped to head up the command, while still leading the NSA. Fast forward to this past January, and the DoD announced plans to grow the command, which is closely tied with the NSA, nearly fivefold over the next few years, from around 900 to about 4,000 military and civilian personnel.

The talent boost will go toward safeguarding infrastructure deemed critical to the country’s security, such as the power grid, but also toward executing offensive missions, according to a Washington Post report. Citing an unnamed U.S. official, the article, however, said there were restrictions in place so that the “military would act only in cases in which there was a threat of an attack that could really hurt.”

That likely was the justification behind the “Olympic Games” program, responsible for the creation of the Stuxnet worm, which came to light in the summer of 2010 and which targeted Iranian nuclear systems. But does it hold water for the recent revelations by Snowden that the NSA is stepping up offensive cyber actions across the world?

Snowden leaked documents to the U.S. version of The Guardian newspaper that revealed that President Obama has ordered senior security and intelligence officials to “draw up a list of potential overseas targets for U.S. cyber attacks” that “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

But in an interview last week with Hong Kong’s South China Morning Post, Snowden presented much more damning evidence of the extent of these targets and attacks. The 29-year-old told the paper that the United States already has conducted at least 61,000 hacking operations globally, including against hundreds of targets in Hong Kong and mainland China, among them private businesses and a university that routes internet traffic for hong Kong.

According to the paper, Snowden wanted to showcase “the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries.”

In a live online chat, he told The Guardian on Monday: “I did not reveal any U.S. operations against legitimate military targets. I pointed out where the NSA has hacked civilian infrastructure such as universities, hospitals, and private businesses because it is dangerous. These nakedly, aggressively criminal acts are wrong no matter the target. Not only that, when NSA makes a technical mistake during an exploitation operation, critical systems crash. Congress hasn’t declared war on the countries – the majority of them are our allies – but without asking for public permission, NSA is running network operations against them that affect millions of innocent people.”

If this true, that the United States is spearheading widespread online assaults of civilian targets, likely in an attempt to mine for sensitive information, it is a far cry from cases in which there’s a threat of an attack that could “really hurt” the country.

One can liken these engagements to the nation’s ever-expanding drone war, which allegedly targets suspected terrorist targets, but often results in the deaths of innocent civilians. War journalist Jeremy Scahill, who has conducted gripping, on-the-ground reporting in some of these secret war zones like Yemen and Somalia, worries that these attacks could lead to blowback, as the families of victims will be incited to take up arms against America.

While espionage and sabotage conducted through the digital sphere won’t lead to bloodshed – at least not yet – news of these U.S. attacks is troubling. At the very least, the U.S. government runs the risk of losing all credibility in its efforts to discourage and prevent Chinese hackers from infiltrating American businesses and stealing hundreds of terabytes of data, as security company Mandiant documented earlier this year.

Should the nation continue to engage in this type of cyber behavior, in secret and protected from meaningful national debate and a full understanding of the legal framework behind it, serious unintended consequences could arise, ones that may make us weaker, rather than stronger, in cyber space. There have been initial attempts to define this emerging landscape, and U.S. ally Israel is also taking steps, but it’s nowhere near where it needs to be.

In short, caution, not aggression, should be the default setting for U.S. foreign cyber policy.

Via: scmagazine

Obama would prefer to prosecute leakers than discuss Stuxnet

When President Obama merely was candidate Obama in 2008, one of his keystone campaign pledges was to rid secrecy from government decision making. In fact, he vowed to transform his presidency into the “most transparent” administration in history.

 

Sadly, campaign promises are made to be broken, but that certainly doesn’t preclude the commander-in-chief from having to answer for those betrayals, especially when they could lead to significant, negative consequences.

Drones are a prime example. The United States currently is fighting several covert wars in which countries such as Pakistan and Yemen regularly are bombarded by robotic aircrafts that are killing thousands of people (including three U.S. citizens), among them civilians. The government, meanwhile, is employing a bizarre guilt-by-association logic to make the attacks appear more precise and successful than they actually are. Details of the drone program have never been presented to the public, never mind discussed or debated by Congress, leading some lawmakers to question whether drones are even a legal mechanism of war.

Thus it was no surprise that when the U.S. government, in conjunction with Israel, created a super computer worm known as Stuxnet designed to attack Iran’s nuclear enrichment facilities, it did so under the cloak of extreme secrecy. The common argument in defense of this type of warfare is that by enlisting Stuxnet (and later the Flame virus), the United States was able to avoid mobilizing actual troops to accomplish its national security objectives. What often goes unmentioned, however, is that by unleashing one of the most sophisticated pieces of malware ever written on a nation against which there was no official war declared, the United States may have staged a cyber future that many people won’t like.

“We have all kinds of cyber weapons that have already been used by America and its allies,” Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit that researches the impact of America’s actions in cyber space, recently told me. “I compare it to entering the nuclear game without Hiroshima. We’ve got people using cyber weapons without thinking anything through but the tactical gain.”

Aside from the perfectly reasonable argument that American aggression, whether dealt by drones in the air or malicious code over computer networks, actually exacerbates anti-American sentiment and potentially incites violence against the United States that may have never happened in the first place, the legal justifications of Stuxnet and Flame are still unknown. Yet many countries eventually may look to the two pieces of malware as examples to follow. This could quickly escalate conflict in a domain that allows anyone to strike from anywhere, often anonymously. In short, all hell could break loose.

As Steve Coll wrote last June for The New Yorker: “Common sense argues for caution, especially by the President of the United States. It also argues for strong defenses, and the pursuit of global laws and norms to contain the military use of these technologies before they cause chaos and destruction. During the nineteen-fifties, a shocking number of American generals believed that a nuclear war could be won. ‘Olympic Games’ [codename for the Stuxnet operation] suggests a comparably self-aggrandizing strain among our new class of digital fighters. Here the comparison to the early nuclear era does seem apt. As a citizen, will it once again seem tempting to buy land, guns, gold, and bottled water?”

But instead of openly discussing the legal defenses and potential ramifications for this new era of battle, not to mention whether the attacked nation is sanctioned to respond back, the Obama administration actually has taken the opposite route, choosing to aggressively hunt down the officials who leaked the story to The New York Times that Stuxnet was a U.S. creation.

Prosecuting whistleblowers has been a common order of business during Obama’s time in the White House.
And according to a Washington Post story
, the FBI and U.S. Attorney General Eric Holder are stopping at nothing to unearth those involved in the Stuxnet leak.

“The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures, sometimes confronting them with evidence of contact with journalists,” according to the Post. “Investigators, they said, have conducted extensive analysis of the email accounts and phone records of current and former government officials in a search for links to journalists.”

I originally believed that the leakers of this story would not be sought because the disclosure was a calculated move on Obama’s part to appear tough on perceived enemies, especially in the lead-up to the presidential election. But that does not appear to be the case.

A healthy democracy demands debate and openness, or at the very least acknowledgement, of our government’s actions, which, after all, are committed in the name of the American people. What it does not necessitate is a relentless assault against revelatory journalism and the persecution of the very people who seek to divulge those truths.

Via: scmagazine

Attackers zero in on Steam gamers with help of Ramnit trojan

Users of the popular video game distribution service Steam are being targeted by a trojan that steals their login credentials and defeats the service’s password encryption mechanism by using HTML injection.

According to security firm Trusteer, which specializes in fraud prevention services, attackers have been on a campaign to obtain Steam users’ login data since mid-July.

Etay Maor, fraud prevention solutions manager at Trusteer, detailed the attackers’ exploits in a blog post, revealing that a variant of the trojan Ramnit was being used to compromise gamers.

A major software service that provides users access to more than 2,000 games, Steam has around 54 million members and is owned by Bellevue, Wash.-based software company Valve.

Steam was the victim of a massive breach back in November 2011, in which hackers accessed the personal data of up to 35 million users contained in a database.

This time, however, the vandals targeted individual users, Etay said.

Once users are infected by Ramnit, attackers wait for victims to login to their Steam account, at which point miscreants use HMTL injection to capture passwords, which are normally encrypted by the site, in plain text. To ensure that Steam’s operators are none the wiser to the attacks, the malware also removes the injected code before the information is sent to Steam’s website.

Maor described the man-in-the-browser (MitB) style attack on Trusteer’s blog.

“To avoid detection, Ramnit simply makes sure the server never sees the injection,” he wrote. “To do so, prior to the [username and password] form being sent to the website, Ramnit removes the injected element. This can be observed in the first part of the code.”

In an interview, Maor told SCMagazine.com that some researchers have begun to move away from strictly categorizing malware like Ramnit as “banking trojans” because variants are increasingly being repurposed to go after users at other sites.

“They are targeting everything– gaming services, dating sites– if there’s a username and password associated with it, they are going to target it at some point,” Maor said.

Services such as Steam are particularly attractive for crooks, Maor added. Gaming software is usually more vulnerable to attack, considering users tend to disengage their firewalls, security solutions or any other programs that could slow down their systems while they are gaming, he explained.

“If you get access to a Steam account, you can carry out identity theft of the gamer, like buy games and send them as personal gifts to other people,” Maor said. “It’s pretty similar to getting bank account access – their profile is now open and you can change their email or other account information. The last option, of course, is to just sell the credentials on an underground forum.”

Its unclear how many people have fallen victim to the latest wave of attacks.

Per policy, Maor said Trusteer reached out to the Valve prior to disclosing information about the attacks.

Via: scmagazine

We won’t pay for lawsuits related to your breach says Insurer to Schnucks

The insurer for Midwestern supermarket chain Schnucks, whose systems were hacked last winter to steal 2.4 million credit card numbers, is claiming in court that the grocer’s policy doesn’t cover the cost of lawsuits arising from the breach.

Liberty Mutual Insurance Co. last week filed documents in a Missouri court contending that the general liability policy it issued St. Louis-based Schnucks, which does business as Schnuck Markets, was not designed to insure “suits and claims arising from the data breach” it recently experienced.

In the court filings, Boston-based Liberty Mutual argued that the policy, which covers bodily injury and property damage, doesn’t make provisions for damage to electronic data.

Schnucks, which operates some 100 stores, learned that it had sustained a major breach in March after hackers raided its systems to steal 2.4 million credit and debit card numbers.The company said the unauthorized access may have continued for up to four months, from last December through March 29, which led to card numbers being compromised that belonged to shoppers at 79 of its locations.

Last Thursday, Main Justice published the documents filed by Liberty Mutual (PDF). The insurer said eight  lawsuits filed by impacted Schnucks customers would not be covered by the supermarket chain’s insurance policy. In addition, (non-suit) claims by four banks and a payment solutions firm that requested to be reimbursed for costs allegedly arising from the breach should also be the responsibility of Schnucks, according to court documents.

Security Bank, Stillman Bank, First Data Merchant Services Corp., Think Mutual Bank and First Federal Savings Bank sent claims letters to Schnucks seeking reimbursement or restitution for lost funds.

In the filing, Liberty Mutual argued that electronic data was not considered “tangible property,” which would fall under the umbrella of property damage insurance.

“For the purposes of this insurance, electronic data is not tangible property,” Liberty Mutual argued. “The claims described in the complaints and claims are not for physical injury to or loss of use of any tangible property, but rather for the loss of personal information. Such a loss is not for ‘property damage.'”

Jason Weinstein, a partner at New York-based Steptoe & Johnson who specializes in data privacy and security litigation, said the Schnucks case is a reminder that organizations should not only expect to be breached, but also have a good handle on what their insurance policy covers, prior to an incident happening.

“A lot of these policies were written before anyone knew what a data breach was,” he told SCMagazine.com on Tuesday. “It’s better to take a proactive review of your insurance coverage and confirm it’s adequate before you need it.”

Entertainment company Sony is engaged in an ongoing legal battle with its insurer Zurich, which has said it’s not liable for customer suits stemming from Sony’s 2011 PlayStation Network (PSN) breach.

Via: scmagazine

Fraudsters target “wire payment switch” at banks to steal millions

Instead of targeting the bank accounts of individuals or organizations, criminals recently took over the wire payment switch at several U.S. banks to steal millions from their choice of accounts, according to a security analyst.

Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com in an interview that at least three banks were struck in the past few months using “low-powered” distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring.

Last week, Litan wrote a blog post on the attack method, which could have resulted in the banks losing much more money than they did, though the fraudulent transactions were in the “millions,” she said in a follow-up interview with SCMagazine.com.

Litan declined to reveal the names of the victim banks, but said that the attacks didn’t appear to be linked to the flood of hacktivist-launched DDoS attacks that hit these institutions last fall and winter. These new incidents are entirely financially driven, she said.

“It wasn’t the politically motivated groups,” she said. “It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours.”

Litan told SCMagazine.com via email that the attacks “added up to millions [lost] across the three banks.”

The concern with the wire payment switch – a system that manages and executes wire transfers at banks – being targeted is that it could result in much more costly loss scenarios for banks. Traditionally, digital crooks stealing from banks have opted to compromise the computers of banking customers in order to obtain their bank login credentials, access the accounts and then funnel out money.

In this case, the vandals went directly after the banks, according to Litan.

While it’s unclear how the attackers gained access to the wire payment switch at banks, saboteurs could have targeted bank staff with phishing emails, an easy way to plant credential-stealing malware on target machines.

Researchers at another security firm have called attention to the trend of DDoS attacks being used as a cover for fraudulent activities at banks.

In April, Dell SecureWorks Counter Threat Unit (CTU) released its “2012 Threatscape Report,” (PDF) which highlighted notable trends that developed last year among cyber attackers.

The SecureWorks research team noted that fraudsters have been utilizing Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees’ attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers.

Last September, the FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), issued a joint alert about the Dirt Jumper crimeware kit being used to prevent bank staff from identifying fraudulent transactions.

In the alert (PDF), the organizations said criminals used phishing emails to lure bank employees’ into installing remote access trojans (RATs) and keystroke loggers that stole their credentials.

In some incidents, attackers who gained the credentials of multiple employees were able to obtain privileged access rights and “handle all aspects of a wire transaction, including the approval,” the alert said – a feat that sounds daringly similar to recent attacks on the wire hub at banks.

“In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the alert said.

Litan suggested that financial institutions “slow down” their money transfer system when experiencing DDoS attacks in order to minimize the impact of such threats.

In a Tuesday email to SCMagazine.com, Limor Kessem, a cyber crime and online fraud expert at RSA’s FraudAction Research Lab, said her firm hadn’t seen the wire payment switch attacks in the wild, but that RSA’s customers had shared information about this threat with the research team.

“The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first,” she said in an email. “That’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.”

Via: scmagazine