Monthly Archives: June 2014

Target has hired a new Chief Information Security Officer (CISO), a move that’s noteworthy mainly because it is the first time the company has had anyone in this role ever even though it is one of the largest retailers in the U.S.

Target on Tuesday announced that Brad Malorino is its new senior vice president and chief information security officer. In that role, Malorino will be responsible for managing Target’s technology risk strategy and for taking steps to avoid a repeat of the massive data breach at the company last year.

Malorino was previously the chief information security and information technology risk officer at General Motors, where he was responsible for overhauling the automaker’s global information security organization, Target said in a statement.

Prior to GM, Malorino was CISO at General Electric. As Target’s CISO, Malorino will report to Bob DeRodes, the company’s recently appointed chief information officer.

Target’s decision to hire Malorino comes about six months after the company disclosed a massive breach that exposed data on about 40 million credit and debit cards and personal data on about 70 million customers.

Target’s security practices came under intense scrutiny following the breach, with many faulting the company for not having basic precautions in place for detecting and responding to the intrusion. The breach has already cost Target’s former CIO Beth Jacobsen her job and was at least partly responsible for Target CEO Gregg Steinhafel’s decision to step down as well.

Recently, Institutional Shareholder Services (ISS), a company that advises institutional shareholders on governance risk and proxy voting issues, said it wanted seven of Target’s 10 board directors voted out for not paying enough attention to data security risks.

The report noted that Target’s board should have been aware, even before the breach, of the possibility of theft of sensitive information given the company’s size and the number of credit and debit card transactions it handles.

Consequently, the company’s move to appoint a new CISO and a chief compliance office appears to be a case of too little too late, ISS noted. “The addition of these ‘new’ positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles,” the report said.

Target, though, is not the only large company guilty of such oversight.

Neiman Marcus, another big name retailer that suffered a recent data breach, is also only now looking to hire a CISO. In a recent job ad, the company said it is looking for a vice president and chief information security officer to establish and maintain an enterprise-wide information security program.

The position will be responsible for “identifying, evaluating and reporting on security risks in a manner that meets or exceeds compliance and regulatory requirements,” the job ad noted.

A recent survey-based report by PwC on the state of U.S. information security practices ( download PDF) found that a “vast majority” of the companies that participated had cybersecurity programs that fell well short of recommended best practices. For instance, just 28% of the companies had a CISO.

The fact that many companies, including large ones like Target, get religious about security only after a breach is a surprising, but “sad reality,” said Richard Stiennon, principal secyrity analyst at IT-Harvest.

Companies like Target should have hired a CISO years ago — particularly after breaches at companies like TJX, which highlighted the threat retailers face, Stiennon said. “Nobody pays attention to security until after an intrusion. It is the same story playing out even after a decade” of high profile breaches.

Target’s decision to choose a security executive from the manufacturing industry is also interesting because it would have made more sense for the company to try and hire someone with experience in retail, Stiennon added.

Via: csoonline

E-commerce giant Amazon is planning a streaming music service of its own in order to join the ranks of virtually every other tech company in existence, according to the New York Times. The streaming feature would give Amazon Prime subscribers free access to a library of thousands of songs, sans any advertising. It won’t include new releases, however, and Universal Music Group artists will be left out, according to the report.

Those are big conditions on a streaming service, especially if it’s designed to go toe-to-toe with the likes of Rdio, Spotify and the just-acquired Beats Music, all of which include Universal Music Group, all of which offer new releases (though some are occasionally omitted), and all of which offer millions, not thousands of songs. But Amazon doesn’t have to compete directly with these services; instead, its streaming offering will likely operate as an add-on incentive for Prime subscribers.

Amazon recently increased the price of an annual Prime subscription from $79 to $99. The price increase comes with expanded offerings, however, including HBO titles available to Amazon Prime Instant Video users.

The reason Amazon’s streaming service will be more limited is said to be due to a failure to come to terms in licensing negotiations, since the music companies considered Amazon’s rate offerings too low. The financials for Amazon included the opportunity to share in a $5 million royalty pool for smaller labels, and larger one-time payments for big publishers like Sony and Warner Music, in exchange for a year of access rights. It isn’t clear what the final cost to Amazon for licensing fees ended up being.

Amazon currently has somewhere around 20 million Prime subscribers according to the company’s own statement from late last year. It’s a big-margin business for Amazon, so growing that segment makes a lot of sense, and small incentives can help the overall package look far more enticing, even if viewed in direct comparison to other paid streaming services, Amazon’s doesn’t sound like it will stack up all too well.

Via: techcrunch

Overhauled communications software due in a week, new version for iPads coming, too.

Using Skype on Apple iPhones will be five times faster than they are now with Microsoft’s release next week of Skype 5.0 for iPhone.

The goal of rewriting the app “from the ground up,” says Microsoft in a blog, is to make Skype on iPhones familiar to anyone who has used Skype on Windows Phone and Android phones, but at the same time take advantage of features unique to iOS.

Some of the new features:

• For people using Skype from multiple devices, the new client will sync notification status to all devices. So if a message is read on users PCs, it will also automatically be marked as read on their iPhones.
  
• Messages sent when recipients are offline will be delivered when they log back on.
  
• Group chats can be initiated from the home screen.
  
• Scrolling from screen to screen is smoother and is punctuated by animations.
  

Microsoft says it is prepping a new Skype version for iPads “soon” as well.

Via: networkworld

This week AT&T Mobility filed a breach notification in California.

This week AT&T Mobility filed a breach notification in California. Apparently from April 9 until April 21, 2014 one of their third party providers violated their security and privacy guidelines and was accessing customer data. AT&T believes that the data was accessed in a effort to unlock phones for secondary market resale. The breach was discovered on May 19, 2014.

Now, the problem here is that in doing so, the AT&T partner employees would have been able to view customer social security numbers and date of birth. In addition to this information the Customer Proprietary Network Information (CPNI) which is related to services that they had subscribed to with the mobile provider would have been viewable.

AT&T will be offering one year of free credit reporting for customers affected by the breach. While we know the date range it aaas not immediately clear how many customers were in fact affected.

Federal law enforcement has been informed of the unauthorized access to the customer data but again, no detail as to whether to not this will be investigated further.

One other piece of information that they included was the recommendation that customers change their passcode. As well, if the customer doesn’t have an passcode that they add one. So, is this to say that the passcodes were compromised as well?

Notifications are winding their way towards affected parties.

Via: csoonline

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.

Gameover Zeus, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. Gameover Zeus, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of Gameover Zeus P2P infrastructure makes takedown efforts more difficult.

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware’s aggressive URL matching algorithm.

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware’s configuration file.

For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has “amazon” in it, including https://www.f-secure.com/amazon.com/index.html.

“We can use this to ‘trick’ Gameover bots and make an easy check to see if an infection is present in your browser!” said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.

Tricking an infected PC to “bite”

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.

“We search for the string ‘LoadInjectScript’,” Tikkanen said. “If the string is found on the page, we know Gameover Zeus has infected your browser!”

The test is not perfect though, because the malware doesn’t support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it’s possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.

Via: pcworld

Evernote was offline for several hours on Tuesday, returning only intermittently for some customers, while the company struggled to deal with a Distributed Denial of Service (DDoS) attack.

Bottom of Form

Users were left frustrated as they were denied access to their data, and Evernote’s status portal was impacted by the attack, leaving Twitter as the only means of public communication.

Last month, Evernote said that they service more than 100 million users – a majority of them in Asia and Europe. Tuesday’s DDoS likely impacted all of them for a brief time, but there were reports on Twitter that some people were able to access their accounts despite the attack.

After four hours of continuous fighting, Evernote reported the issue resolved, but warned that there may be problems over the next 24-hours.

Tuesday’s attack, the company said in a statement, didn’t result in any data loss. As such, no account information was compromised.

In March of 2013, Evernote admitted that attackers had accessed user names, email addresses and encrypted passwords. In a blog post on the incident, the company said they were requiring password resets as a precaution.

Via: csoonline

Do you really know what your kids are doing all the time? Probably not, unless you’re a stalker (just kidding). But really, there has to be some element of trust and you can’t physically be everywhere your kids are. And that also applies to the online world. As parents, we need to be aware of what our kids are doing, teach the “rules of the road,” and help them stay safe, but we can’t always be there with them every moment of every day.

But we do need to understand that our kids are doing things online that could expose them to risk. McAfee’s 2014 Teens and Screens study showed that tween and teens continue to interact with strangers online and overshare information, even though they realize that these activities can put them at risk.

So what else did the study unveil? About 75% of tweens and teens friend people whom they know in the real world, however, 59% engage with strangers online. And one out of 12 meet the online stranger in real life. This could be because 33% of them say they feel more accepted online than in real life.

Additional facts to understand:

• Our tweens and teens overshare personal information – 50% posted their email address, 30% their phone number and 14% (which is 14% too many) posted their home address, even though 77% know that what is posted online can’t be deleted and 80% have had a conversation with their parents on how to stay safe online
  
• Social media friends are not always friendly – 52% have gotten into a fight because of social media, 50% have gotten into trouble at home or at school and 49% have regretted posted something.
  
• Our kids are still hiding things from us – Although 90% believe their parents trust them to do what is right online, 45% would change their online behavior if they knew their parents were watching, 53% close or minimize their web browsers when their parents walk into the room and 50% clear the history of their online activity
  

Alarmingly, 24% said that they would not know what to do in the event of cyberbullying (how about stay away from the bully’s page and block the bully from your page?). A whopping 87% have witnessed cyberbullying and 26% have been victims themselves.

So with all these, how do we ensure we help our kids stay can enjoy the benefits of being online, while staying safe online. Here’s my top tips:

• Establish rules: Parents should establish pinpointed rules about computer activities including sites the kids can visit and what is and isn’t appropriate behavior online, including the fact that online is forever.
  
• Check in: Kids should be told to immediately report cyberbullying. whether they are witnessing it or being a victim.
  
• Meet their “friends”: If it’s not possible to meet that person in person, then your child shouldn’t be chatting with them online.
  
• Learn their technology: You should know more about the various devices that your kids use than your kids do, not the other way around.
  
• Get their passwords: Parents should have full access to their kids’ devices and social media accounts at all times; they need the passwords.
  
• Have security software on all their devices: Make sure all your kids’ devices and yours have comprehensive security software, like McAfee LiveSafe™ service.
  

Or you can just relegate your kids to their rooms and never let them out—like I’ve told my girls. Just kidding. But on a serious note – parents, it’s time to make this a priority, for you and your kids.

Via: information-security-community

Kids can be street-smart and Facebook-stupid, to paraphrase how Vice News put it.

Police love that naive, completely misplaced trust in the supposed anonymity of social media postings.

In fact, it was a long trail of quite helpful Facebook postings about crimes that lead New York City police to what authorities are calling “the largest gang takedown in New York City’s history”.

After a 4-year-long investigation by the New York Police Department (NYPD), 103 gang members were indicted on Wednesday, thanks mostly to the evidence teenagers left on their Facebook profiles.

Five hundred NYPD officers descended on two housing projects in the NYC neighborhood of West Harlem Wednesday morning to arrest 40 of those who were indicted.

Police told reporters that 23 more alleged gang members are still being sought, while the rest were apprehended prior to the Wednesday bust.

Most of those arrested are between 15 and 20 years old, while some were as old as 30.

Prosecutors say the boys and men belong to three gangs: the two allied gangs of Make It Happen Boys and Money Avenue, and their rivals, 3 Staccs.

The gangs have waged war over the past four years, with the carnage now resulting in accusations of two homicides, 19 non-fatal shootings and about 50 other shooting incidents, according to a press release put out by Manhattan District Attorney Cyrus R. Vance, Jr.

According to the indictments (which can be read here and here), the gang members fought tooth and nail to control their territory – the two housing projects are only a block away from each other – and to climb the gangster hierarchy via shootings, stabbings, slashings, assaults, gang assaults, robberies, revenge shootings, and murders.

They were also busy chronicling it all via social media, posting hundreds of Facebook updates, direct messages, mobile phone videos, and calls made from Rikers Correctional Facility to plot the deaths of rival gang members.

They used postings to publicize and claim credit for – and to rub their enemies’ noses in – their crimes, prosecutors say.

One of the gang’s victims – 18 year-old Tayshana “Chicken” Murphy – was a promising basketball star. Her father has said that she was being recruited by several colleges.

Ms. Murphy was gunned down in her building in September 2011. One of the gang members allegedly bragged about it on Facebook.

A second victim, Walter “Recc” Sumter, who owned the gun used to kill Ms. Murphy, was murdered that December in apparent retaliation.

Prosecutors say that two days after the death of Ms. Murphy, alleged gang member Davon “Hef” Golbourne wrote to a 3Staccs rival that they had “fried the chicken.”

The rival, Brian “Pumpa” Rivera, replied “NOW IMAAA KILL YUHH.”

In fact, investigators pored over more than 40,000 phone calls between gang members already in jail and those on the outside, hundreds of hours of surveillance video, and “more than a million social media pages,” Vance said in his statement.

According to Vice News, the word “Facebook” shows up 162 times in one of the indictments and 171 in the second.

Rev. Vernon Williams, a Harlem pastor who has spent years trying to curb youth violence in the neighborhood and who personally knows many of the indicted teens, told Vice News that they’re not the brightest bulbs on the tree when it comes to social media:

They are Facebook dummies.

Because the stuff that they were saying, that was gonna come back to bite them, especially admitting participating in crimes, admitting getting the weapons that were gonna be used in crimes, and then calling someone in a state prison and giving them a report of what they did.

But while the kids were undeniably stupid about Facebook, Williams also criticised the law for letting this battle wage for so long instead of stepping in earlier:

The indictment is almost 200 pages long and I would say 75-80 percent of [one of the indictments] is Facebook posts and similar activity.

The DAs office was helped by the accused. All [the police] did was watch and document it. I don’t know what took them so long, but once they had enough, they scooped them up.

That is a very good question. Why did police need four years to round these guys up when they had alleged criminals posting about it on social media?

Stupidity about social media is a gift to investigators. One would hope that the gift gets turned into protection for the community as fast as practicable.

Via: sophos

The Heartbleed bug has sent a shockwave through the Internet, as millions of users try to take stock of all of the accounts they’ve ever created and figure out how to change their passwords. Too bad their passwords are just the beginning of the problem.

Given the reach of Heartbleed and how long the bug existed, it’s hard to even say how much data unscrupulous hackers could’ve gotten their hands on and, because of how it worked, we’ll probably never know. Most people are changing their passwords on affected sites, sitting back and thinking (or hoping) they’re safe. But now is when the work really begins for a large group of scammers. Since many websites ask you (or even require you) to use your email address as a username, that information is also vulnerable to the Heartbleed bug. Welcome to the beginning of phishing season.

Phishing (and the other “ishings,” like vishing for phone scams and smishing for text scam) is a more time-consuming method of extracting the goods from you, but it is often more directly profitable. With information about where you have accounts and your email address, it’s easy enough to send you a phishing email that looks like it’s coming from Tumblr but leads you to “update your credit card” with a site that is definitely not Tumblr.

And it’s not just your email address you need to worry about. You wouldn’t believe how far phone scam artists can get with just a little information and the right tone of voice. Plus, while more and more people are texting, many newcomers to the technology haven’t even considered the possibility that the link in the text that is supposedly from “your bank” or “your mobile company” leads you to a site that puts malware right under your thumbs.

If a phisher reeled in or bought information of yours – like emails, addresses or phone numbers – compromised in the Heartbleed hack, what should you watch for?

1. Any emails from companies imploring you to “click here” to change your password or update your account information. Companies are learning not to do this precisely because it’s such a common phishing and spear-phishing tactic. You should try to pre-empt any such email by going straight to the affected websites once they’ve implemented the Heartbleed fix. But if you don’t, or didn’t, and get worried by the email, take the extra few seconds to open up a new tab and (correctly) type the website’s name into your browser.

2. Any phone call that promises to fix your problem but only if you give them passwords, account access or a credit card right now. Phone phishing (or vishing) scammers rely on two things to succeed: your fear that you did something wrong or are in some sort of trouble; and their ability to project authority and the ability to fix it. If someone calls you and wants any information and won’t allow you to get off the phone to call back the customer service number you find on your own, they aren’t legit.

3. Any text message from an unknown number. Don’t open links and pictures or call any numbers you just don’t recognize. Text-message phishers (known as smishers) use our own Fear Of Missing Out (FOMO) to draw us in and take advantage of us.

4. Any calls from weird numbers, especially if your cellphone isn’t widely known. I assume that there are (mostly young) people who often get calls or texts from numbers they don’t know after a night – or several nights – out. But for the rest of us, we probably hoard our cellphone numbers closer than most of the rest of our personal information, if only to avoid overage charges. So if you suddenly start getting calls from numbers you don’t know, don’t let the FOMO lead you down the wrong path. Let them leave a voice mail: Just because you can pick up doesn’t mean you have to.

Technology has made a lot of things more convenient, but it’s also made the cleanup of a major security flaw like Heartbleed incredibly difficult. In the face of such a global issue, simply changing our passwords is like using caulk to seal a crack in the Hoover Dam. Bugs and breaches, hackers and phishers are the new norm and we can no longer assume that technology will bail us out or “it won’t happen to me.” It is critical that we change the way we think about security and realize that in the end that each of us must be more vigilant and aggressive in our cyber self-defense.

Via: dailyfinance

American Express is notifying 58,522 California residents that data including their names and account numbers may have been breached. The company was informed by law enforcement that several large files containing the personal information was posted online by apparent members of Anonymous, the online “hacktivist” network.

In what’s becoming an unfortunate ritual for U.S. consumers, news of another data breach, this time at American Express, is prompting calls for cardholders to protect themselves.

Earlier this week, American Express announced that it was notifying 58,522 California residents that data including their names and account numbers may have been breached. More than 18,000 more California residents, the notice said, may have had other information breached, but not their names.

According to the notice, the company was informed by law enforcement that several large files containing the personal information was posted online by apparent members of Anonymous, the online “hacktivist” network.

The company believes the subgroup Anonymous Ukraine was specifically to blame.

Scott Mitic, a vice president at Equifax, one of the three American credit bureaus, called the incident “yet another in the nearly constant stream of data breaches that affect U.S. consumers today. It’s part of our day-to-day to lives.”

On the spectrum of breaches, he said, credit card info isn’t as damaging as personal information such as social security numbers and birthdays, which can be used indefinitely for identity theft.

In this case, he encouraged cardholders to check their recent transactions, place fraud alerts on their accounts and check their credit reports.

It’s unclear when the data was breached, but AmEx first discovered it back on March 25, according to the company.

“We are strongly committed to the security of our card members’ information and strive to let you know about security concerns as soon as possible,” the company said in a statement. “At this time, we believe the recovered data may include your American Express Card account number, the card expiration date, the date your card became effective and the four digit code printed on the front of your card.”

The company said it had placed additional fraud monitoring on affected cards, and assured customers that they are not liable for any fraudulent charges.

Via: enterprise-security-today