Monthly Archives: March 2015

Serious Fraud Office Fined £180,000 for Data Breach

The Serious Fraud Office (SFO), an independent UK Government department whose mission is to investigate instances of serious and complex fraud, was recently fined £180,000 following a data breach during one of its investigations.

In 2004, the SFO initiated an investigation into an arms deal between aerospace company BAE Systems and Saudi Arabia in response to allegations of corruption and bribery. The deal, which stretches back to the 1980s, ended in 2006 with the sale of 72 Typhoon fighter jets.

The Serious Fraud Office closed the case in 2006 amid concerns that UK-Saudi relations might be harmed if it went forward with the investigation.

Four years later, a data breach occurred when the SFO mistakenly sent over 2,000 bags of evidence pertaining to the case to “Witness A” between November 2011 and February 2013.

A “relatively inexperienced” temporary worker sent 407 of the bags belonging to 64 people to the witness, the SFO later discovered.

Worse still for the Serious Fraud Office, the witness to whom the evidence was sent disclosed the breach to The Sunday Times, which ran a series of articles based on the misstep.

In total, the confidential personal information of 6,000 people, some of whom were in the public eye, as well as the sensitive personal information of two subjects, was compromised in the incident.

The SFO did not begin investigating the breach until 2013, after details of the error were requested in response to a parliamentary question.

“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong,” said David Smith, Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office, an independent UK authority responsible for fining the SFO.

“This was an easily preventable breach that does not reflect well on the organization. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The SFO has recovered 98% of the documents and is taking action to make sure there are adequate security checks in place to ensure any case files containing personal information are delivered to their correct recipients.

 

Via: tripwire

GitHub recovering from massive DDoS attacks

Software development platform GitHub said Sunday it was still experiencing intermittent outages from the largest cyberattack in its history but had halted most of the attack traffic.

GitHub was hit by distributed denial-of-service (DDoS) attacks that sent large volumes of Web traffic to the site, particularly towards two Chinese anti-censorship projects hosted there.

Over the next few days, the attackers changed their DDoS tactics as GitHub defended the site, but as of Sunday, it appears the site was mostly working.

A GitHub service called Gists, which lets people post bits of code, was still affected, it said. On Twitter, GitHub said it continued to adapt its defenses. 

The attacks appeared to focus specifically on two projects hosted on GitHub, according to a blogger who goes by the nickname of Anthr@X on a Chinese- and English-language computer security forum.

One project mirrors the content of The New York Times for Chinese users, and the other is run by Greatfire.org, a group that monitors websites censored by the Chinese government and develops ways for Chinese users to access banned services.

China exerts strict control over Internet access through its “Great Firewall,” a sophisticated ring of networking equipment and filtering software. The country blocks thousands of websites, including ones such as Facebook and Twitter and media outlets such as The Wall Street Journal, The New York Times and Bloomberg.

Anthr@X wrote that it appeared advertising and tracking code used by many Chinese websites appeared to have been modified in order to attack the GitHub pages of the two software projects.

The tracking code was written by Baidu, but it did not appear the search engine—the largest in China—had anything to do with it. Instead, Anthr@X wrote that some device on the border of China’s inner network was hijacking HTTP connections to websites within the country.

The Baidu tracking code had been replaced with malicious JavaScript that would load the two GitHub pages every two seconds. In essence, it means the attackers had roped in regular Internet users into their attacks without them knowing.

“In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech,” Anthr@X wrote.

GitHub has not laid blame for the attacks, writing  that “based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.”

The attackers used a wide variety of methods and tactics, including new techniques “that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic,” GitHub said.

In late December, China cut off all access to Google’s Gmail service, after blocking Facebook’s Instagram app, and the phone messaging app Line. A month prior, it appeared many non-political sites supported by the U.S. content delivery network EdgeCast Network were blocked. EdgeCast may have been a casualty because its cloud services are often used to host mirror sites for ones that have been banned.

Via: networkworld

Bankrupt RadioShack to Auction Off Millions of Customer Records

Following RadioShack’s recent bankruptcy filing, the tech retailer is now in the process of selling not only trademarks and real estate, but also millions of customer names, emails and physical addresses.

According to a report by Bloomberg, the highest bid for the company’s assets came from RadioShack creditor and hedge fund Standard General at an auction on Monday.

However, the purchase is yet to be approved by a bankruptcy court in Delaware, with several states, and telecommunications giant AT&T, challenging the hefty transaction.

Texas Attorney General Ken Paxton argues that the retailer made an explicit promise to its customers not to sell their personal data – a claim clearly stated in the company’s online privacy policy:

We will not sell or rent your personally identifiable information to anyone at any time. We will not use any personal information beyond what is necessary to assist us in delivering to you the services you have requested. We may send personally identifiable information about you to other organizations when: We have your consent to share the information (you will be provided the opportunity to opt-out if you desire).

Paxton added that RadioShack’s customer data for sale includes 117 million people, as well as information on customers’ shopping habits.

Tennessee’s Department of Commerce and Insurance also joined in on the objection earlier this week.

Meanwhile, AT&T is attempting to battle the transaction by stating the information isn’t actually for RadioShack to sell. The wireless carrier states it worked with the company to market its phones, in which case the retailer should not be able to sell information belonging to AT&T.

As a resolution, AT&T proposed the data should be destroyed to prevent its competitors from accessing the information.

A similar case was last seen before court back in 2000, when Toysmart.com, an online toy store, filed for bankruptcy and attempted to auction off its customer data.

The Federal Trade Commission (FTC) sued the company to prevent the sale, claiming Toysmart was violating its own privacy policy, which stated consumers’ personal information would never be shared with third parties. According to the Washington Post, the data was eventually destroyed.

 

 

Via: tripwire

Protecting Cyber Networks Act introduced by House committee

A new threat sharing cybersecurity bill was introduced by leaders of the U.S. House of Representatives Intelligence Committee.

The Protecting Cyber Networks Act has significant bipartisan support and seeks to allow companies and government agencies to more freely to share information about cybersecurity threats, according to Reuters.

Inspiration for the bill comes in part from recent slew of cyber attacks on corporations. Proponents of the bill say it has strong support from the business community while privacy activists fear the bill’s vague language could lead to more government surveillance.

This bill’s introduction comes just a few weeks after a similarly controversial bill, the Cybersecurity Information Sharing Act passed a Senate committee. The Intelligence Committee will vote on the bill this Thursday and if it passes it is expected to go before the full House of Representatives in late April.

 

 

Via: scmagazine

Vulnerability found in popular hotel routers

A recently discovered authentication vulnerability in the firmware of several models of InnGate routersmade by ANTlabs could be putting hundreds of hotel guests’ data at risk.

The flaw could allow an a attacker to distribute malware to guests, monitor and record data sent over the network and possibly gain access to the hotel’s reservation and keycard systems, Wired reported. If exploited, attackers could gain direct access to the root file system of the device. At this point, they could write files to the routers or copy configuration and other files from the system.

Cylance researchers found 277 vulnerable devices in 29 countries, although they noted that others could exist. More than 100 devices were located in the U.S. Sixteen were found in the U.K.

Although most InnGate routers were found in hotels, some were located at convention centers, as well.

 

 

VIA: scmagazine

Twitch Resets All User Passwords After Suffering Data Breach


Twitch, the immensely popular livestreaming service for gamers that was acquired last year by Amazon in a nearly $1 billion deal, confirmed today that it has suffered a security breach that may have resulted in unauthorized access to a number of user accounts. The company is now forcing all of its users to change their passwords.

Twitch alerted users to the breach in a blog post on its website that read:

“We are writing to let you know that there may have been unauthorized access to some Twitch user account information.

For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account.

We also recommend that you change your password at any website where you use the same or a similar password. We will communicate directly with affected users with additional details.

Sincerely,
Twitch Staff”

And here is the email Twitch sent to users that may have been affected by the hack:

“We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in from, and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.

For your protection, we have expired your password and stream keys. In addition, if you had connected your account to Twitter or YouTube, we have terminated this connection.

You will be prompted to create a new password the next time you attempt to log into your Twitch account. If applicable, you will also need to re-connect your account to Twitter and YouTube, and re-authenticate through Facebook, once you change your password. We also recommend that you change your password at any other website where you use the same or a similar password.

We apologize for this inconvenience.

The Twitch Team”

Twitch is a hugely popular site — it is reportedly the fourth largest site on the Internet in terms of peak traffic, bested only by Netflix, Apple, and Google — so a hack could potentially have a negative impact on a large number of people.

When reached by email, a Twitch spokesperson declined to provide additional comment on the breach or details on how many accounts were compromised.

 

 

Via: techcrunch

New Ransomware Encrypts Your Game Files


If you’re in love with your Diamond Armor and Sword combo, you might want to back up your computer. A new form of ransomware called TeslaCrypt has been found that primarily targets game files. This means when it attacks it will encrypt all of your saved game files and ask you for about $1,000 to access them again. Usually your only

TeslaCrypt is targeting files associated with games and platforms like RPG Maker, League of Legends, Call of Duty, Dragon Age, StarCraft, MineCraft, World of Warcraft, and World of Tanks. Researcher Fabian Wosar of Emsisoft first discovered the worm and Bleeping Computer found a few of its attack vectors.

Hackers are releasing software along with the Angler Exploit Kit, a toolkit used by hackers to send malware out into the world. The first and most pernicious piece of ransomware, CryptoLocker, is a distant cousin to this new strain.

Sadly the system doesn’t just stop at game files. The filetypes encrypted by the ransomware include Word docs, images, Excel files, and PowerPoint presentations and it asks you to pay in relatively untraceable PayPal My Cash cards or Bitcoin. Your best defense against these things? Back up, back up, and then back up. While there are tools you can use to decrypt some types of ransomware but a techno tragedy can quickly become a mere nuisance with a good backup.

 

 

Via: techcrunch

PoSeidon malware targeting retailers, say researchers

A family of improved malware is targeting retailers’ point of sale (PoS) systems, taking up where Zeus and BlackPoS left off, say Cisco researchers.

Dubbed PoSeidon, the malware is designed to scrape PoS devices’ memory for credit card information and exfiltrate that data to servers.

According to researchers, most of the exfiltration and command and control (C&C) servers linked to the PoS malware have Russian domain names

The researchers found malware starts with a loader binary which, when executed, will first try to maintain persistence on the target machine to survive a possible system reboot.

The loader then contacts a C&C to retrieve a URL which contains another binary to download and execute.

The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers.

The keylogger component can be used to steal passwords and could also be responsible for spreading infections, the researchers said.

Once the data is verified using the Luhn algorithm, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Demand for point of sale system data

The data can be used to create cloned credit cards, and is typically sold on criminal markets. The demand for such data has driven the growth in the number of data breaches involving PoS malware.

These data breaches affect large organisations such as US retailer Target as well as small, family-run retail businesses.

The presence of large amounts of financial and personal information means these businesses and their retail PoS systems are attractive targets for cyber criminals.

“PoSeidon is another in the growing number of point-of-sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” said the researchers.

“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” they said in a blog post.

Magnetic stripe vulnerability

The researchers warn that, as long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and the development of new malware families.

“Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats,” they said.

Card cloning is particularly rife in countries such as the US that have not yet implementedchip and pin technology in line with the Europay, MasterCard and Visa (EMV) standard.

In October 2014, US president Barack Obama issued an executive order aimed at accelerating the adoption of cards that reach the EMV standard.

While EMV is not hack-proof, it provides more security than the magnetic stripe-based system, with a unique identifier for each transaction and user verification through a PIN code.

Although widely adopted in Europe, where it has been credited with significantly reducing card-present fraud, EMV adoption in the US has been relatively slow.

In an effort to speed up adoption of the EMV standard, Obama’s executive order directs the federal government to lead by example in securing transactions and sensitive data.

The White House said the new BuySecure initiative will provide consumers with more tools to secure their financial future by assisting victims of identity theft and improving the government’s payment security.

This is in addition to accelerating the transition to stronger security technologies and the development of next-generation payment security tools.

 

 

Via: computerweekly

The risk inside your credit card

Millions of credit cards now have a built-in device designed to make them more convenient. But is it also making your credit cards more vulnerable to fraud? 13 Investigates shows how credit card information can be stolen from your wallet while it’s still inside your pocket.


Credit cards are getting a high-tech makeover.

Many of them now contain a tiny radio chip that allows customers to simply wave their credit card at the checkout line and be on their way.

Radio frequency identification (RFID) is an added convenience, according to Visa, MasterCard and American Express. The nation’s three largest credit card companies have recently issued millions of credit and debit cards with RFID technology, and McDonald’s, Walgreens, Office Depot and Meijer are among a growing number of restaurants and retailers that now process the radio signal embedded in the cards.

But some privacy experts say the technology comes with risk and controversy, and an Eyewitness News test shows why.

“Wow. That’s Scary.”

Walt Augustinowicz is a credit card privacy advocate and founder of Identity Stronghold, which sells fraud-prevention products for credit cards.

Last month, Augustinowicz came to Indianapolis to demonstrate the vulnerability of RFID credit cards for 13 Investigates.

Equipped with a standard credit card reader connected to a battery and a laptop computer, Augustinowicz claimed he could easily steal credit card numbers from dozens of unsuspecting travelers at Indianapolis International Airport.

“It’s absolutely something anybody can do, and the equipment costs less than $100,” he explained. “With what I have here, I can get your credit card number, your expiration date and everything I need to make a clone card.”

He wasn’t exaggerating.

13 Investigates randomly selected 20 people to take part in a demonstration. With their permission, Augustinowicz tried to intercept their credit card numbers. Seven of the participants had RFID-enabled credit cards, and Augustinowicz was able to electronically scan card numbers and expiration dates from all of them – without the credit cards ever leaving a pocket, purse or wallet.

“Oh my gosh. Wow. That’s scary,” said Kathleen Charley, as she watched Augustinowicz intercept information from her Visa card. “I’m shocked to think someone could do that just by walking by me with [my credit card] in my pocket.”

Roberta Gonzales learned three of her cards are at risk.

Augustinowicz intercepted information from Gonzales’ Visa card, MasterCard and American Express card; all are embedded with radio frequency identification.

“Wow. I heard about this but I didn’t think my cards were accessible to it,” she said. “I thought all the new cards were protected and I thought ‘surely it’s not possible.'”

It is possible — even if most consumers don’t realize it.

“I had no idea. It’s the first time I’ve heard of anything like that. That’s just insane that it’s happening and that credit cards are allowing it to happen,” said Nate Elkins after his friend’s credit card data was intercepted during WTHR’s demonstration.

Sophisticated protection?

Major credit card companies insist RFID technology is safe, and they say consumers have little to worry about.

Visa, MasterCard and American Express all sent statements to WTHR, citing advanced safeguards to protect RFID credit cards from tampering and fraud. And each of the companies point out consumers face zero liability (or very limited liability) for any fraudulent purchases charged to their credit cards.

In its statement, Visa admits radio frequency identification does pose some risk to consumers:

“Because information travels from card to terminal without any contact, there is a remote risk that data can be intercepted. However, we have built in multiple layers of security for every Visa transaction that helps protect against fraud using stolen information.”

All three companies say cardholder name and address information is not included during the RFID transaction process. They also say fraud rates associated with RFID technology are extremely low due to special security codes that are created for each individual transaction.

“In response to the claims that you’re hearing that a person could use a reader to capture someone’s account number and expiration date, I think it’s important to point out that they can’t do anything with that data,” explained MasterCard spokeswoman Erica Harvill.

Augustinowicz disagrees, and he provided a bold demonstration to show why.

While at the airport, he intercepted information from an RFID credit card and, using an inexpensive device purchased on eBay, he copied the data onto the magnetic stripe of his hotel room key. Augustinowicz then used the hotel room key to pay for a large soda at an airport restaurant. He simply slid the hotel room key through a traditional credit card reader at the restaurant, and the credit card reader allowed the transaction because it couldn’t tell the difference between a regular credit card and a room key containing intercepted data.

“You can’t say ‘no, it can’t be done’ when someone turns around and does it right in front of your eyes, and that’s what we did. We did exactly what they said we can’t do,” Augustinowicz said. “We didn’t have to do a whole lot to do this. It’s not rocket science, and we’ve done it at big box retailers for several hundreds of dollars with no problem … It’s too easy. Way too easy. It’s a wide open door – especially if you don’t know it’s a threat.”

Are your credit cards at risk?

To find out if you have a credit card or debit card containing a radio chip, simply take a look at the card.

If it has a symbol similar to the speaker or volume symbol on a computer, it’s a sure sign the card has RFID technology. You can also look for buzzwords such as PayPass, payWave, expresspay or Blink as proof that you’ve got a radio chip in your credit card.

Joan Antokol, an attorney specializing in security and privacy issues, says it’s not just credit cards and debit cards that are now embedded with radio frequency technology. She says new passports and ID cards issued by many schools, private companies and government agencies also contain RFID. (Click here to see the RFID symbol on passports.)

“Over a billion cards have been issued with RFID chips in unencrypted form and all of those cards are very vulnerable to attack,” Antokol told WTHR. “I think it’s a very big risk. It’s the responsibility of the credit card companies to issue cards that are secure or people won’t want to use them.”

The Identity Theft Resource Center agrees. The nonprofit organization says RFID technology is not as secure as it should be to be included in millions of credit and debit cards.

It is a potential problem, and I think the credit card companies themselves are going to have to get this figured this out and conclusively resolve this issue because they’re in it up to their noses,” said ITRC executive director Jay Foley. “Like any other technology, RFID is only as good as the systems it’s used on and that system has some holes.”

So far, ITRC has not directly linked any cases of identity theft to RFID-enabled credit cards. But says a direct link would be very difficult to establish because consumers victimized by credit card fraud usually cannot identify the cause.

While consumer liability is usually limited in cases of credit and debit card fraud (credit card companies usually follow a “zero liability” policy for unauthorized use of a credit card and limit consumer liability to $500 for fraudulent use involving a debit card) , Antokol says many consumers face great hassle and inconvenience when their card numbers are stolen.

“You can face years and years of angst associated with trying restore your credit and identity because of stolen credit card information,” she said. “Even if you don’t lose a cent, it’s something nobody wants to go through.”

Protecting yourself

After learning of the risk involving RFID, Augustinowicz launched his company that sells protective sleeves, badge holders and wallets designed to block the radio frequency waves from credit cards and IDs containing RFID chips. One of his biggest clients is the U.S. government, which has purchased tens of thousands of badge holders for government-issued IDs and protective envelopes that are sent with all newly-issued U.S. passport cards.

While many government agencies require protective covers for ID badges and all passport cards are shipped with a protective sleeve, no credit card companies or U.S. banks currently provide consumers with protective covers with their RFID-enabled credit cards.

A single protective sleeve for a credit card costs $4.99 (a 10-pack including protective sleeves for both credit cards and passports costs $19.99) plus shipping through Identity Stronghold. Other companies such as 3M and RFID Shield sell protective sleeves, as well. Purchased in bulk, the protective sleeves cost less than 50 cents each.

Augustinowicz says consumers can make a homemade remedy for just pennies by wrapping their credit card in a piece of aluminum foil.

“The metal from the foil will do the same thing and block the radio signal,” he explained. “But consumers have to have the knowledge – they have to know they are getting these cards with radio chips in them – in order to protect themselves. This is a problem and this is real.”

Statements from Visa, MasterCard and American Express

 

 

Via: wthr

Charging On The Go: Electricity From Your Car Tire

 


Goodyear will be releasing anew tire concept, the BH-03, which will have the capacity to convert heat generated from friction and deformation of the tires to usable electricity that will charge the car battery while you drive. This could be a monumental change for the worries of electrical vehicles having a short range. If one can charge their car while driving, this would mean that the range of an electric vehicle would be not be hindered by the inability to find a charge station. This could mean exponential travelling capabilities for electric vehicles.

“These concept tires reimagine the role that tires may play in the future,” said Joe Zekoski, Goodyear’s senior vice president and chief technical officer. “We envision a future in which our products become more integrated with the vehicle and the consumer, more environmentally friendly and more versatile.”

Source: Goodyear

The tire utilizes an internal pump mechanism that sends air from the main air chamber to the three individual tubes. These three internal tubes beneath the tread and near the inboard and outboard shoulders of the tire and in the center of the tire.  The tire has three different positions, and will automatically adjust to each position based on road conditions.

Position #1: Eco/Safety position – offers reduced rolling resistance when there is maximum inflation in all three tubes.

Position #2: Sporty position – gives drivers dry handling through an optimized contact patch when there is reduced inflation within the inboard shoulder tube.

Position #3: Wet Traction position – provides high aquaplaning resistance through a raised tread in the center of the tire when maximized inflation in the center tube.

Goodyear, being one of the world’s largest tire company, wants to bring more innovative methods to making useful tires for customers. They feel this tire will meet the needs of a vehicle market in flux. Zedoski said, “It is more important than ever for us to stay firmly rooted in our market-back innovation process, which calls on us to focus on, and anticipate, the rapidly evolving needs of our customers.”

 

 

Via: survivalist