Monthly Archives: November 2014

Home Depot facing 44 lawsuits over data breach as clean-up cost reaches $43m

Recently we have further proof – if any were needed – that data breaches are costly for everyone involved.

Home Depot, which revealed a huge data breach in September, said it now faces at least 44 civil lawsuits across the US and Canada after the security slip that left 56 million credit cards and 53 million email addresses exposed.

The company also warned that it expects more claims to be filed by customers and shareholders, as well as card issuers and payment card brands, according to a Securities And Exchange Commission (SEC) filing by Home Depot.

The financial impact of the breach so far stands at $43 million, the company wrote, though it expects to recoup some $15m of that cost via a network security and privacy liability insurance policy.

The resulting $28 million pre-tax net expense covers the three month period up until 2 November 2014 and takes account of the cost of investigating the breach itself, providing free identity protection and credit monitoring services to customers and the additional costs associated with an increased demand for call centre staff.

Other expenses include fees in respect of legal and other professional services required in the wake of the data breach.

Home Depot also predicted other future costs in respect of the breach, including further professional services expenses as well as additional capital costs associated with remediation.

The company said the value of potential further expenses and legal costs will likely be dependent upon whether it was deemed to be compliant with data security standards, such as Payment Card Industry Data Security Standards (PCI-DSS), at the time of the breach and whether or not any non-compliance (if detected) could be proven to have been instrumental in the criminals gaining accessing to the data.

Home Depot said its payment card network had been certified as compliant by an independent auditor in Autumn 2013, but said the 2014 assessment was ongoing at the time of the attack so admitted it may not be found to be compliant:

The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the Data Breach. As a result, we believe it is probable that the payment card networks will make claims against us and that we will dispute those claims.

Home Depot reiterated its previous announcement of additional measures to prevent another breach occurring in the future, which includes the rolling out of “enhanced encryption” in all of its US stores to make credit card data unreadable, and the complete adoption of EMV Chip-and-PIN technology by the end of the year.

Canadian stores, which are already enabled with Chip and PIN technology, will receive the new encryption system in 2015.

Investigations into the breach are still ongoing, the company said.

 

Via: sophos

Citadel Malware Now Targets Password Managers

The Trojan looks for processes linked to KeePass, Password Safe, and the neXus Personal Security Client.

IBM Trusteer researchers recently came across a new variant of the Citadel Trojan that specifically targets several popular password management solutions.

For cybercriminals, it’s a logical target — get the master password for a single repository, and you’ve got access to all of a victim’s login credentials.

With millions of computers worldwide already infected with the Citadel malware, the researchers say it’s easy for cybercriminals to provide updated instructions to those machines via a command and control (C&C) server.

“As long as the malware is communicating with the C&C, the configuration file can be updated with information about new targets, activities and C&C destinations,” Trusteer director of enterprise security Dana Tamir wrote in a blog post describing the threat.

“All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets,” Tamir added.

The new Citadel configuration instructs infected machines to start keylogging when any of the following processes are running: Personal.exe, PWsafe.exe, or KeePass.exe.

According to Tamir, Personal.exe is a process belonging to the neXus Personal Security Client, PWsafe.exe belongs to the open source password manager Password Safe, and KeePass.exe belongs to the open source password manager KeePass.

The IBM Trusteer researchers who found the new Citadel configuration file haven’t yet been able to determine who’s behind it, or if it’s specifically targeting a single institution.

“It might be an opportunistic attack, where the attackers are trying to see which type of information they can expose through this configuration, or a more targeted attack in which the attackers know that the target is using these specific solutions,” Tamir noted.

“Password management and authentication programs are important solutions that help secure access to applications and Web services,” Tamir added. “However, it is important to understand that these solutions can be compromised by malware.”

While the three solutions currently being targeted are only a small subset of the range of password managers currently available, it would be extremely simple for the attackers to update the configuration file to look for processes tied to other leading products.

In the meantime, Trusteer’s discovery should serve as a reminder to keep your anti-virus solutions updated, and to implement two-factor authentication where possible. Password Safe supports YubiKey authentication, and the KeeOtp plug-in for KeePass enables two-factor authentication.

 

Via: esecurityplanet

Australian Government Data Breach Linked to Poor Security Training

Data from an Excel spreadsheet containing 9,250 asylum seekers’ personal information was mistakenly embedded in a Word document published online.

Following a data breach in February 2014 that exposed the personal details of almost 10,000 asylum seekers in Australia, an investigation by the Office of the Australian Information Commissioner (OAIC) has determined that the country’s Department of Immigration and Border Protection (DIBP) “unlawfully disclosed personal information.”

The investigation also found that the DIBP “breached the Privacy Act by failing to put in place reasonable safeguards to protect the personal information it held against loss, unauthorized access, use, modification or disclosure and against other misuse.”

According to the OAIC report, the breach could have been avoided had DIBP staff better understood the need for careful management of embedded data in documents made available online.

 

When the DIBP published a document on its website containing statistical information on asylum seekers on February 10, 2014, an Excel spreadsheet containing approximately 9,250 asylum seekers’ personal information was mistakenly embedded in the Microsoft Word version of the document.

The information, which was available on the DIBP website for about eight and a half days, included asylum seekers’ names, genders, citizenships, birthdates, periods of immigration detention, locations, boat arrival details, and reasons why each individual was deemed to be unlawful.

“The Commissioner found that the data breach was caused by the failure of a number of Departmental policy documents to adequately mitigate against the known risk of embedded data,” the OAIC report states. “This included the failure of DIBP to make Departmental staff aware of the risk of embedded data. These failures led to the errors by Departmental staff who created and cleared the Detention report.”

According to the report, the DIBP staff who created the report “copied charts and tables directly from the Microsoft Excel spreadsheet, resulting in the underlying data being embedded in the Microsoft Word version of the Detention report. This was contrary to the relevant Departmental policy, which stated that graphs should be copied and pasted as pictures into Microsoft Word documents.”

Still, the OAIC report found that the departmental policy didn’t include information on why copying and pasting graphs as pictures was necessary. “If DIBP had explained the reason for this direction, staff may have better understood the risks of embedded data and why this instruction was necessary,” the report states.

“Similarly, the Commissioner found that had DIBP appropriately trained Departmental staff involved in the creation of the Detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error,” the report adds.

It’s a common problem — an Enterprise Management Associates survey recently found that more than 56 percent of employees at organizations ranging from fewer than 100 employees to more than 10,000 haven’t received any security awareness training at all.

A recent eSecurity Planet article offered advice on how to offer security awareness training that works, including two tips that could have helped the DIBP prevent this breach: explain why security policies are needed, and show users specific examples of security no-nos.

Guardian Australia notes that while the OAIC has now closed its investigation, 1,600 individual complaints relating to the breach will still have to be resolved separately.

 

Via: esecurityplanet

Heirloom App Preserves Print Photos With A Single Snap

Here’s a neat thing for those who want to preserve your pictures by Sarah Buhr (@sarahbuhr)

 

 


My mom, ever the scrapbook aficionado, has documented every birthday, Halloween, dance performance, first bike ride and baby eats dirt moment me and my brothers have endured since I can remember. She hand-scanned every last one of those hundreds of pictures a few years back and then organized them into neat little labeled folders on her own PC.

It took me eons to convince her to put it all in Dropbox. It’s finally all there, but it looks like this:


My brothers and me.

As you can see the technology has been somewhat limiting for her to do this in a way that is easy and efficient.

Heirloom is a new smartphone app that hopes to change that. You snap a picture of your old photos and the app uploads it into a private social network in the cloud that allows you to then share the pictures with your friends and family. Trunx is somewhat of a similar idea with the organizing and sharing of photos, but the hook with Heirloom is the scanning.

It’s also a family business. Brothers Eric and Evan Owski came up with the idea after Eric’s wife complained that there weren’t any good scrapbooking apps for moms. Evan, a former programmer at TuneIn, worked on the code. Eric is Heirloom CEO and handles the marketing end of things.


“Throwback Thursday is now a weekly ritual across the web. We believe that speaks to the human desire to relive treasured moments from our past,” says Eric. “Yet for many, the process of capturing old prints is clumsy and doesn’t result in high quality digital images.”

If you are me, you scratch your head and start asking them how that is different from simply taking a picture with your iPhone camera and then sending it to the already created family photo album folder in Dropbox.

“When you take a picture of a photo, you have to spend a lot of time lining up the edges and cropping if you want a decent scan,” explains Evan. “Our app can take a scan even if the photo is rotated or skewed. It will automatically find the edges, correct the perspective, and do a bit of color correction,” he tells me.

Throwback Thursday is a social media phenom, though the brothers maintain that you may not always want to share those precious moments of your chubby former 13 year old self with the world. So Heirloom incorporates a more intimate network made just for loved ones.


My mom on her wedding day. Great Grandma Davidson is right next to her.

Tencent and and a group of angel investors led by Eduardo Vivas (COO at Bright, Eric’s previous employer) have given Evan and Eric $1 million in seed to grow the company.

The app is available for download on both the App Store and Google Play.

 

Via: techcrunch

Security Holiday tips and tricks

Here’s a quick list of security-related tips and tricks that can be emailed to the staff (or anyone).

The email below acts as a quick awareness message that can be sent to the entire company or anyone.

In addition to the tips and tricks below, this time of year is also the perfect time to remind staff about IT policies, including device access, support, passwords, and data protection.

Note:
This list is compiled and edited down from a number of sources including McAfee, Tony Gill (AppRiver), and Mark Stanislav (Duo Security).

Scams and Schemes

This holiday season, criminals will take full advantage of clever shoppers looking to score a good deal or save some cash. Here’s a list of common schemes and scams to be on the lookout for.

Fake charities –

Giving is a common theme during the holidays. It shouldn’t come as a shock to learn that criminals will steal funds from those who need it most, but each year thousands of people fall victim to charity scams.

If you wish to donate this year, call or visit the foundation directly, or use their official website. Avoid collection points such as Indiegogo and GoFundMe, especially if the request to donate comes out of the blue.

Use caution, and your best judgment, if approached for a donation in public. If you’re unsure, or feel pressured, don’t feel bad about saying no.

Advertising –

Keep an eye out for ads that promise a known brand at a steep discount, especially if the promise comes from an ad on the Web. Criminals will use fake ads to lure people to malicious websites. In the past, these types of lures have been used to push malware and instigate financial crime.

Coupons (especially if they come from Target, Kmart, or Home Depot) –

There were nearly a billion records compromised in 2014.

Thus, criminals have a large amount of data at their disposal, and they’re not above using it to target you. Keep an eye out for customer reward offers, or emails that claim to represent some of the larger retail outlets that were breached this year.

Check the email for grammatical errors and typos, as that’s usually the fastest way to spot a fake. Remember, retailers will never ask you to email personal or financial data, and any offer they make via the Web, you can usually get them to honor in-store.

Delivery receipts / error notices –

Another common scam – often hitting its peak this time of year – centers on consumers who do most of their shopping online.

Criminals will send fake shipping notices, charge notices, or delivery error notices, in order to trick you into following a link or opening an attachment. The links and attachments are all malicious, either leading to information loss or malware installation.

If you’re not expecting a delivery, or you didn’t order anything, most of these notices can be safely ignored. However, if you see one of these fake notices and are concerned, call the retailer directly and avoid the email entirely. The retailer can inform you of any issues, and provide a phone contact to the shipping company if needed.

Personal Protection

Another way to hinder criminals this holiday season is to increase your financial visibility and limit access.

Pre-paid credit cards –

Given the number of records compromised in 2014, it might be easier to purchase pre-paid credit cards and use those for shopping online. This way, if the card details are stolen, the loss to you is minimal.

Fraud notifications –

Often, people don’t think about this option until it’s too late.

Credit card companies (Capitol One / American Express) as well as several banks offer mobile applications that let you receive fraud notices and respond to them, all without having to make a phone call.

Check with your financial institution to determine if such offerings exist and learn their limits. Sometimes, it’s possible to get alerts if spending hits a certain amount, or if there are several transactions within a certain amount of time. Knowing where your money is, and how it is being spent can prevent fraud before it gets out of control.

 

Via: csoonline

Sony Pictures facing full network compromise – Report

Corporate network pulled offline.

UPDATE 3:

Earlier this evening, an email was sent to Salted Hash from someone claiming to be an employee of Sony Pictures.

The email used broken English, which would normally raise red flags, but the image attached to the curious message shows an alternate look at the message left on Sony Picture’s network, lending some credibility to the claim that it came from someone on the inside. However, this cannot be confirmed fully.

The image shows the second half of the message left by GOP, the group that is taking credit for the security incident, which tells Sony Pictures how initiate contact with their attackers. The newest details are printed below, complete with typos.

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

“Thanks a lot to God’sApstls contributing your great effort to peace of the world.”

And even if you just try to seek out who we are, all of your data will be released at once.


UPDATE 2:

In a statement, a Sony Pictures Entertainment spokesperson offered a single answer to questions: “We are investigating an IT matter.”

UPDATE:

Sources close to the situation have told Salted Hash that they were within earshot when the director of the internal IT security team at Sony Pictures was informed about the compromise.

After notification, employees were told to turn their computers off, disable Wi-Fi on their mobile devices, and to refrain from accessing the corporate VPN. We’re unable to confirm, but there are reports that some staff have been told to go home for the day, and others are being told to wait for access to be restored.

Original Article:

Sony Pictures is said to be in the middle of a security incident, based on reports from employees, after a group calling themselves GOP (Guardians of Peace) left a threatening message that was displayed on monitors across the network on Monday.

The message is below:


Hacked By #GOP
Warning:

We’ve already warned you, and this is just a beginning.
We continue till our request be met.
We’ve obtained all your Internal data, Including your secrets and top secret [clip]
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM (GMT).

It’s said that Sony has disabled their corporate network in order to deal with this situation. Salted Hash has reached out to them for comment, in order to get a better understanding of the situation, but there was no response by deadline.

Users on Reddit have downloaded the file referenced by the GOP, which contains lists of data allegedly compromised by the group. Salted Hash has seen the file promoted by GOP, and can confirm the findings on Reddit in full.

Among the items reported as compromised, GOP says they’ve accessed private key files; source code files (CPP), password files (including passwords for Oracle and SQL databases), inventory lists for hardware and other assets, production outlines and templates, as well as production schedules and notes.

According to the warning GOP says they plan to publish the compromised data later this evening. This story will be updated with further developments.

 

Via: csoonline

Craigslist Down After DNS Attack

Craigslist, the well-known web classifieds site, is currently offline for many users following a DNS attack.

According to Brad Volz, a network engineer at Craigslist, someone compromised the site’s account at one of its registrants on Sunday evening, causing the name server (NS) records to migrate.

“That issue has since been corrected,” Volz explained, “but the various caches around the Internet are still holding the old data.”

These caches may need to be flushed in order to restore Craigslist’s operability.

Shortly following the attack, users who tried to access the web classifieds site were redirected to “Digital Gangsters for life,” which suggests Craigslist may have been hacked.

The Digital Gangsters forum is known for a number of high-profile attacks, including the theft of photos from singer Miley Cyrus’ email in 2008 and a Twitter hack a year later in which the accounts of celebrities, such as Bill O’Reilly and Britney Spears were compromised.

Digital Gangsters has been largely unable to manage its victim’s heavy traffic. After temporarily going down, the site redirected all Craigslist web searches to the New York Times website. All traffic has since been redirected to Digital Gangsters, whose response time continues to be sluggish.

As part of the attack, Craigslist’s domain name record was modified, with a new name registered to “steven wynhoff @LulzClerk“.

Steven Wynhoff has been named as having used DDoS attacks and hacked YouTube accounts dedicated to posting “Call of Duty” videos, as well as allegedly hacking Bitcoin creator Satoshi Nakamoto’s email earlier in 2014.

Whether Wynhoff is behind the attack remains to be determined.

Some time after the attack was discovered, Craigslist CEO Jim Buckmaster released a blog post confirming the DNS attack.

Like Volz, Buckmaster is concerned that “many internet service providers (ISPs) cached the false DNS information for several hours, and some may still have incorrect information.”

He therefore urges all network providers and tech staff to flush all Craigslist entries from their DNS servers.

 

 

Via: tripwire

NSA director states China can shut down U.S. electric grids, report indicates

Adm. Michael Rogers, director of the National Security Agency (NSA) and commander of U.S. Cyber Command, stated that China, as well as “one or two” other countries, is capable of launching cyberattacks to shut down electric grids and other critical infrastructure in parts of the U.S., according to a Thursday AP report.

Rogers made the statement at a House intelligence committee hearing when responding to questioning from Rep. Mike Rogers (R.-Mich.), who chairs the intelligence committee, the report indicates, adding that the NSA director would not identify the “one or two” other countries.

The head of U.S. Cyber Command stated that U.S. adversaries are regularly performing electronic “reconnaissance,” and said that the Obama administration is working to establish international military cyber operations principles, such as not attacking hospitals, according to the report.

 

Via: scmagazine

Beats Solo2 Wireless Review: Bluetooth Adds Considerably To The Solo Appeal


Beats is taking its Solo line wireless, with a new set of Bluetooth cans that match the wired Solo2 almost exactly in terms of external design. Surprisingly, they also match their wired counterpart in terms of sound, both when used with the included aux cable with inline remote, and when they’re used with the Bluetooth wireless connection. And after Beats took its sound engineering back to the drawing board for the Beats Solo2, that means they sound surprisingly good.

Basics

  • 30 foot range
  • 12-hour internal rechargeable battery
  • 3.5mm able with inline remote included
  • 215g
  • MSRP: $299.95
  • Product info page

Pros

  • Good sound, wired or wireless
  • Comfortable and light

Cons

  • Expensive

Design

The Beats Solo2 Wireless comes as close to replicating the Solo2 signature design as possible, with just a few fractions of a millimeter different in dimensions due to the need for a battery within the case. The mirroring of the design of the two products was intentional, and a desired goal from the start, because Beats wanted these headphones to share all the same traits, except of the addition of wireless functionality in these new Bluetooth versions.

 


The retention of the same design is smart not only to unify the Solo product line, but also because they have really top-notch fit and finish to begin with. The new design is a lot more visually appealing than the previous Solo, with fewer line breaks and softer angles. They’re still plastic, and contain little in the way of metal surfaces, but the high-gloss look works well with Beats’ bold colors (red, black, white and blue are options for the Wireless model at launch).

Solo2 Wireless packs padded cups and headband, and both are soft and comfortable for all-day use. They’re lighter than the Studio version of Beats’ headphones, and the on-ear design will probably be preferable for some. They fold up into a decently portable package, and will stow in the included soft case when you want to take them travelling. The soft case itself also contains padding, so you can throw them in a bag without much concern about their overall safety.

Sound

Beats has gone from a brand whose headphones I’d never recommend, let alone own myself, to one that is right up there with some of the better general consumer market audio companies in terms of audio quality. For them to have accomplished that between a single generation of hardware is impressive. What’s more impressive is that the Beats Solo2 wireless headphones deliver sound that is consistent regardless of whether you use them wired or wireless, and that in both cases, there’s a warmth out of the box that you don’t generally get from audio equipment without a decent break-in period.

There’s no active noise cancellation here, but he ear cups do offers a certain amount of passive filtering out of surrounding sound, which is plenty for most use cases. The audio also doesn’t suffer from any kind of inherent background hiss or static, again regardless of whether you’re using either wireless or wired connection.

Battery

The Beats Solo2 Wireless is rated at 12 hours of use on a single charge, and in practice I did get a good amount of listening out of them – definitely enough for a long day at the office, and for most flights you’ll ever have to take. Plus, they work with the included remote cable whenever you do run out of juice, so you won’t be left in the lurch.

For a wireless pair of headphones, 12 hours of continuous use is a very respectable duration, and Beats has also included its LED light indicator to tell you how much batter you have remaining. And if you’re using them with an iPhone or iPad, there’s also a battery indicator icon that will show up in your status bar once you’ve paired them with your device.

Bottom Line

The Beats Solo2 Wireless Headphones are the first new hardware from Beats to arrive post-Apple acquisition, but they’ve been in development long before the deal came together, and they shared a development cycle with the wired version which debuted earlier this year. Beats staggered their launch to make sure the wired version got its own spotlight, and to refine the additional engineering required to make sure the wireless version had identical sound, without any kind of artificial enhancement or EQ trickery.

Overall, the company accomplished what it set out to do with the Beats2 Wireless – these feel like they should become the new default option for customers shopping for a pair of on-ear wireless headphones. Price is still an issue, as it’s a 50% premium over the wired version, but there’s a lot more engineering involved, too. And thanks to that work, these don’t feel overpriced, per se – the added convenience of wireless features is hard to quantify, but if you’re concerned about budget, check out Solo2 or other wired option first.

 

 

Via: techcrunch

Savings.com’s New App Called PriceJump Finds You The Lowest Price, Online, On Amazon Or In-Store

Amazon has a reputation for having low prices, but that’s not always the case. Savings.com recently revealed via its price comparison tool that, half the time, Amazon had higher prices than its online competitors. Today, the company is furthering its price comparison efforts with the launch of an app that helps shoppers figure out where to buy for the lowest price across three categories. Called PriceJump like its web-based counterpart, the new app gives you the best online price, the best local (in-store) price, or – if you need the item right away and want to take advantage of your Amazon Prime shipping benefits – the app will find the best Amazon price, too.

Launching today in beta on iOS, PriceJump was spun out of Saving.com’s web tool called “Amazon or Not” Price Check, which has helped over 500,000 shoppers save since its launch this July. On mobile, the app takes on competitors like ShopSavvy, offering both a barcode scanner and a search box that returns real-time prices from Amazon and over 5,000 online retailers, as well as nearby stores.

These prices are presented to in three columns (Best, Online or Local), so you can determine which way you want to shop and then which store to visit or which link to click. With Local, I had to manually enter my zip code in settings for this option to work, which could be a bug. Your mileage may vary.

Even if you do most of your online shopping with Amazon to enjoy the convenience of free, two-day shipping with Prime, the PriceJump app can still be useful. Online retailers, and especially Amazon, don’t run sales the way traditional brick-and-mortar stores do. Instead, their pricing changes dynamically and often. While you may have been researching a big purchase and think you’ve found the best place to buy for the lowest price, by the time you return to the web to make your purchase, that price may have changed.


Notes Savings.com, they found that over a two-week period, the lowest price changed 10 or more times on nearly 20% of over 500 items they had been tracking since October. And the prices changed 5 or more times on 45% of the items.

The new app is less complex than top competitor ShopSavvy, which may either good or bad, depending on your use case. ShopSavvy has a heavy focus on pointing users to “sales” and letting them organize their wants into wish lists, while also surfacing item reviews, product information and related items. PriceJump, meanwhile, sticks mainly to price comparisons, though you can tap on the item itself to read reviews and a product description. But when all you care about is the dollars and cents of something you’re coveting, PriceJump’s simplicity makes it quicker and easier to use.

Well over half of U.S. consumers use price comparison apps to help them when shopping, and many stores will even price match with the web. Walmart, in fact, recently began officially matching online and Amazon prices, which could make the use of price comparison apps even more popular with shoppers.

Savings.com generates revenue by taking commissions on the sales it drives, and its current lineup today includes a couple of other apps aimed at helping shoppers save money. Its flagship app Savings.com provides coupon codes and deals, while its Favado app help you find the best grocery deals. (The latter is especially popular among extreme couponers, myself included, as it shows you how to stack coupons and match them with store deals.)  PriceJump, however, has a more modern and cleaner look-and-feel than the company’s earlier apps, which also makes it easier to use*.

The new app is available as a free download, here on iTunes.

* Though it needs to tone down the shade of green, a commenter points out. But in comparison with its Favado app, which is ugggghhhly, this is progress for them. 

 

Via: techcrunch