Monthly Archives: October 2014

JP Morgan Chase, the largest bank in the US, informed investors on Thursday that a data breach during the summer had affected around 76 million households and approximately 7 million small businesses.

Confirmation of the scale of the breach, one of the largest ever, came in an 8-K filing with the Securities and Exchange Commission (SEC) in which the company revealed that the attackers took off with user information including names, addresses, phone numbers and email addresses as well as “internal JPMorgan Chase information”.

On a more positive note, the company says it has seen no indication that account numbers, passwords, user IDs, dates of birth and Social Security numbers were compromised and says it has not seen “any unusual customer fraud related to this incident.”

It also makes clear that customers will not be liable for any unauthorised activity on their accounts as long as they let the bank know “promptly”.

JP Morgan Chase, which trades as Chase bank, has published a list of frequently asked questions for customers concerned about the breach.

In it, the company reiterated how no sensitive financial information was stolen and no unusual activity had been spotted since.

The bank warned of the threat of phishing attacks, which is exactly what happened in January 2014, a month after JP Morgan Chase experienced another breach which affected 465,000 prepaid cash card customers.

With that in mind, if you receive an email that appears to come from JP Morgan Chase & Co (or any other bank), be very wary. Remember that no legitimate financial institution is ever likely to send you an email asking for personal or sensitive financial information. If you wish to visit the official JP Morgan site, type the URL directly into your browser instead of clicking on a link within an email.

Of course, email isn’t the only possible means of a follow-up attack – social engineers may attempt to dupe Chase customers by telephone too, especially if they have hold of the phone numbers we now know were snaffled in the breach.

If you receive a call which appears to come from JP Morgan Chase, do not give out any information and hang up. If you actually need to speak to the bank, or wish to confirm the call was in fact genuine, call back using a phone number found on your credit card statement or other official banking paperwork.

The company says it will continue to work with government agencies to uncover the root of the attack.

Via: sophos

Would-be buyers of used Apple devices have a new way to make sure their acquisition wasn’t someone else’s loss through theft. Apple’s new iCloud tool lets users check to see whether the iPhone, iPad or iPod Touch they’re considering has been locked by a former owner.

A new feature on iCloud’s Find My iPhone page, the Check Activation Lock Status tool requires a user to type in either the device’s IMEI or serial number. Upon entering that information, a user can learn whether he or she can legitimately activate the device with a new Apple ID.

The tool is just the latest in a series of technology tweaks aimed at reducing smartphone-related crime. And officials across the U.S. and elsewhere are reporting that such efforts appear to be paying off in the form of declining smartphone theft rates.

Valuable Smartphone or Useless ‘Brick’?

Hitting the market this past Sept. 19, Apple’s new iPhone 6 and iPhone 6 Plus are both powered by the new iOS 8 operating system, which enables the anti-theft Activation Lock system by default. Rolled out in September 2013, Activation Lock allows users to remotely lock devices and render them useless if they are lost or stolen.

Available on Apple devices running iOS 7 and up, Activation Lock requires a valid Apple ID and password before a lost or stolen device can be reactivated. Without that information, iPhones, iPads and iPod Touches that fall into the wrong hands are supposed to become little more than useless “bricks.”

Earlier this year, iClarified reported that some hackers had found a way to bypass Activation Lock and reactivate devices without an Apple ID and password. With Apple’s latest lock checking tool, though, would-be buyers can still find out whether a used device was locked by its previous owner…which would raise red flags about both the device’s origins and potential usability.

Aiming at ‘Apple Picking’

The growing use of smartphones has made the devices an attractive target for thieves, who try to resell them quickly for a fast profit. Apple’s phones have proven to be a particular favorite among such criminals, leading law enforcement officials to name a new crime category, “Apple Picking.”

Faced with many smartphone thefts that included crimes of violence and even murder, a large number of police officials from across the U.S. and even London last year launched an initiative called “Secure Our Smartphones,” or SOS. Led by New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascón, the initiative has urged phonemakers to enable “kill switch” technology that lets users turn off their devices if the devices are lost or stolen. This year, Minnesota and California both adopted laws requiring all smartphones sold in those states to be equipped with kill-switch capabilities, and other states are considering similar measures.

A report issued by the SOS initiative this past summer indicated that thefts of iPhones in New York “fell significantly” after Apple rolled out its Activation Lock. Similar declines were reported in both San Francisco and London.

Via: enterprise-security-today

Variations, dated versions, resurrections, and how to vanquish them all.

Don’t think for an instant that once POS malware is defeated the first time, it’s gone for good. These attacks have a habit of resurrecting themselves, with a lot of help from criminal hackers.

“The U.S. Secret Service and Trustwave researchers identified, analyzed, and named the Backoff POS malware, which has affected at least 1K businesses across the country,” says Karl Sigler, Threat Intelligence Manager, Trustwave. But while the security world is buzzing about Backoff POS and the BlackPOS malware that infiltrated Target last year, other POS malware is afoot, evolving, and potentially surging and resurging at any time.

“With each POS malware success—in terms of media coverage and organizational disruption—it’s also likely that attackers are contemplating even more aggressive methods of accessing valuable data,” says Gregg Aamoth, Co-Founder, POPcodes and former vice president and privacy officer, Macy’s, Inc.

With that, CSO opens a sort of “Pandora’s Box” of POS malware strains including Dexter, Alina, vSkimmer, TriForce, and OG, examining their ilk, ebb, and flow, and outlining the solution to POS malware attacks.

Old POS malware could be new again

POS malware strains such as Dexter, Alina, and vSkimmer have been the focus of security experts since prior Backoff POS, says Aamoth. Dexter infiltrated systems with stealth, stole process lists, and sorted through memory dumps to acquire payment card data. It further leveraged a command and control server. “Dexter was also the first POS malware family to add a keylogger to its toolset,” says Aamoth.

Once security professionals logged Dexter’s behaviors and revealed its server domains, it became less effective so long as potential victims took note, plugged holes in security, and updated security technologies that use signatures to recognize known malware behaviors. But Dexter still threatens stores that do nothing and it will almost certainly evolve, successfully applying new behaviors and domains to future attacks.

Alina had a number of capabilities, taking an approach similar to Dexter’s. But Alina could update itself while on the infected system, making it more nimble. Though the industry has learned its behaviors, the same rules apply: it is a threat in its known form to those who do nothing, and it can evolve to envelope new behaviors, wreaking havoc again.

The VSkimmer POS malware or virtual skimmer updates firewall rules and makes a number of computer system changes to hide and accommodate itself. It can copy data to a USB drive when the Internet is not available for data transfers. As with other POS malware, if the enterprise doesn’t take the necessary mitigation steps, it risks suffering from the current version of this attack. And the enterprise that doesn’t do enough to protect itself could remain at risk to future forms of vSkimmer.

As for these warnings and premonitions, the same could be said for other POS malware including the new Soraya strain, the TOR-based Chewbacca, and Citadel. About any group with the right coding skills could grab one of these, insinuate adds and changes, and launch new attacks using new server addresses.

POS Malware Going Out of Style

TriForce and OG are two POS malware strains that are growing less effective, each with good reason. “We still see TriForce. It was the third most prevalent POS malware in the past year,” says Sigler. But TriForce has its weaknesses, stemming largely from a lack of funding. Funding is an issue with lesser POS malware.

While some criminal groups can afford to outsource their code in order to get quality programmers, others cannot. The hackers who wrote TriForce POS coded it in such a way that it eats up more system resources than it should. The lower quality work demonstrates that these hackers didn’t have the funding to hire skilled coders. Once the industry became familiar with TriForce and its behaviors, its odds of success diminished.

OG POS is dated. “The OG POS malware family is four years old and has fallen out of fashion,” says Sigler. Because they also lacked funding, the criminals who created OG POS built it using the tools that they could most easily access. Though OG suited their needs at the time, it never used encryption to conceal payment card data while they exfiltrated it. DLP programs can recognize the data leaving the enterprise. This weakness contributed to OG POS’ ultimate downfall.

How POS malware enters

According to Sigler, criminal hackers are getting POS malware in by using brute force tools such as Medusa or THC-Hydra in automated attacks against the poor login credentials of the third-party vendors that support POS systems remotely. “A lot of businesses buy or rent POS systems and count on those vendors for support,” says Sigler. The third-party vendors connect remote desktop software such as LogMeIn, Chrome Remote Desktop, and Apple Remote Desktop to the POS systems they support. These POS system vendors often use easily guessed usernames and passwords with this software, which are the kinds of credentials that brute force tools look for.

To find the remote desktop software and its login pages, hackers scan networks using free, standard OTS tools that do port scanning, looking for live IP addresses where the ports for remote desktop software are open. “They even use botnets to do the scanning for them,” says Sigler.

Why POS malware is effective, what to do about it

“These third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn’t demonstrate an up-front benefit. They can’t say they saved X amount of money by using security. It takes a few successful attacks for them to learn to apply basic security,” says Sigler.

But any business, including third-party vendors that serve stores’ POS systems can take measures to block POS malware attacks. First, they should assign strong passwords to remote access software and to PCs that house this software. By using longer, stronger passwords that are not common and that no one in the organization has previously used, companies can circumvent the password dictionaries inside brute force attack software. Employees should not document, share, or disclose any passwords. It is a good idea for these vendors to update passwords regularly. “Two-factor authentication methods increase the security of passwords that attackers can compromise,” says Sigler.

Third-party vendors should use only select computers set aside for technical support to connect to POS systems with remote access software. Only authorized personnel should be able to access these computers. No one should use these computers for web browsing or any purpose other than as the company intends. A good firewall should help with that.

To detect POS malware, POS system vendors should monitor outbound network traffic and any traffic intended for systems outside their control, according to Sigler.

Via: csoonline

eBay and PayPal are going their separate ways, with the payments company moving out from under the eBay umbrella to form its own, publicly-traded company. The move follows a strategic review conducted by eBay, Inc. and its Board of Directors, and is intended to help both businesses grow faster in their respective markets.

The spin-out of PayPal is expected to be complete by the second half of 2015, provided all regulators sign-off on the agreement. As TechCrunch reported, both companies will get new CEOs as part of the deal, with eBay Marketplaces President Devin Wenig taking over at eBay, and PayPal President Dan Schulman presiding at PayPal.

This is a split that many, including activist investor Carl Icahn, have predicted or called for in the past. eBay picking up PayPal was about trying to inject some energy into its instant buy, same-day delivery and curated storefront businesses, but with PayPal’s forays into mobile payments, including its Braintree acquisition and its One Touch system, the company is moving more and more towards in-person mobile transactions and away from online commerce.

eBay still manages around $20 billion in annual mobile sales volume, according to the company today, but ultimately its business has been bolstered heavily by PayPal’s strong growth. PayPal could also be opening itself up to opportunities with several of eBay’s strong competitors by separating itself from the online marketplace, including world leader Alibaba.

Via: techcrunch