Monthly Archives: April 2015

The biometric revolution moved one step closer this week, as Samsung IT services subsidiary Samsung SDS confirmed plans to launch a “simple” mobile payment system using biometric authentication in the very near future.

The Samsung SDS system remains rather hazily defined, but will include at the very least fingerprint authentication, built in to the last few generations of Galaxy devices, and most likely also iris recognition, again already associated with Galaxy hardware.

Initially, access to the service will be limited to users in South Korea, working with local payment gateway providers KG Mobilians and KG Inicis and planned to launch before the end of April, but the announcement also made clear there were plans to roll it out worldwide.

The project is almost certainly connected to the Samsung Pay system announced alongside the recent launch of the technology and engineering behemoth’s latest flagship smartphone, the Galaxy S6, but could well extend much further; Samsung SDS apparently discussed providing its services to a wide range of other hardware manufacturers and service providers.

The Samsung Pay digital wallet and payment system is set to launch in July in South Korea and “sometime this summer” in the US, aiming to take on similar systems from rivals Google and Apple but boasting of superior uptake among merchants and payment providers.

Microsoft, still lagging badly in the smartphone space, continues to leak minor teasers about payment systems in future devices running Windows 10, but the market share already grabbed by Samsung makes its activities in the area much more significant.

With the South Korean giant apparently keen to collaborate with other device makers in the biometrics space, the way could be open to all sorts of manufacturers to get a piece of the action, making a future where we pay for everything using digital hardware rather than cash or plastic a very real possibility.

The “SOMA” client and server systems from Samsung SDS are already certified by FIDO, the cross-industry group pushing for better authentication methods, which the firm signed up to almost exactly a year ago, earning an immediate board seat.

The substantial weight of the FIDO group and its existing specifications for universal biometric authentication standards, combined with ever-growing interest from both banks and technology providers, seems to suggest we’re not too far away from doing away with not only passwords but even older identifiers such as signatures and plastic payment cards.

Again, Microsoft seems to be a little off the pace here, with the biometric components of the upcoming Windows 10 apparently requiring some tweaks to the current specs and aiming to fit better into a future version.

FIDO member PayPal has also been beating the drum for biometrics, with the payment go-between firm’s Head of Global Developer Advocacy Jonathan LeBlanc reportedly touring the conference circuit with a talk entitled “Kill All Passwords”, discussing the possible benefits of everything from heartbeat and vein recognition to biostamps and swallowable dongles.

In academia, a study from Dartmouth College looks set to present evidence that the password system is a major cause of data breaches, urging us to move on to something more suitable.

Some have suggested that educating users to avoid using bad passwords has limited value beyond a certain point, and there seems to be growing agreement with the Dartmouth findings that the whole system needs to be replaced with something less easily leaked, stolen or phished.

With more and more major tech firms seeing the benefits of biometrics, it looks like that password-free future so many are hoping for could be with us rather sooner than we thought.

Via: nakedsecurity

Canadian handset maker BlackBerry has been on a mission to turn around its beleaguered handset business by focusing more on software, and it looks like it has taken a significant step in that direction, specifically around file security and DRM. According to reports coming out of Israel, BlackBerry is buying WatchDox, a startup that has developed cross-platform technology for digital rights management and for enterprises to share files securely. BlackBerry, the reports say, will be paying between $100 million and $150 million for the company, and will also leverage its 100-person team in Israel to build out its R&D operations in the country.

The news was first reported by Israel’s GeekTime, which says the deal was signed this week for $150 million. Another local publication, Globes, followed up with a report noting that the deal could be confirmed as soon as today and see BlackBerry pay $100 million for WatchDox. We have reached out both to people at WatchDox and also BlackBerry for a direct comment and have been told we will be getting a response “soon.”

WatchDox was founded in 2008 originally as Confidela. Confidela first released WatchDox in 2009 before ultimately, it seems, rebranding the whole business under the product name. The company, which is headquartered in Palo Alto, has raised nearly $36 million, with investors including the Blackstone Group, Gemini Israel Ventures, Millennium Technology Value Partners, Shasta Ventures, and Shlomo Kramer. Kramer, the chairman of the company, had in the past cofounded Trusteer, another security firm acquired by IBM in 2013.

WatchDox’s growth has partly sprung out of rising awareness of security risks among enterprises and individuals. As more mobile devices are used for work and sharing documents, there has been an exponential growth of cloud-based services to store files, but that has also opened the door to data breaches. While some of us may look at the growth of organizations like WikiLeaks as a triumph of free speech on the Internet, businesses may see it differently, and that has proven to be the wind beneath WatchDox’s wings.

“WikiLeaks, as well as numerous smaller document leakage incidents, have raised awareness for the need to better secure documents as they are shared inside and outside of the organization,” Moti Rafalin, WatchDox CEO, said back in 2011 when the company announced a $9.25 million round of funding. “Legacy enterprise digital rights management and data loss prevention products are failing to address the problem, and enterprises are realizing documents need to be seamlessly protected and controlled wherever they go.”

In practice, what WatchDox allows is a platform to securely share documents among employees and other authorized individuals. When those files have to leave the corporate circle of trust — for example to be sent to someone outside the organization — the security goes with them, so that, for example, a video clip or sensitive contract or memo cannot be downloaded and posted elsewhere. Currently, WatchDox’s DRM product does not seem to be targeted at mass distribution of files, but more to protect sensitive scripts, videos and other digital media so that it doesn’t get leaked and used elsewhere.

If the acquisition news is accurate, it would give BlackBerry a big step ahead in its own enterprise security business. WatchDox today works with a lot of different verticals, listing energy, finance, government, healthcare media and technology among them. Today BlackBerry’s security services include a collaboration with Samsung KNOX. Having its own tech would help differentiate BlackBerry’s bigger security products from those of its partners.

BlackBerry posted a profit last quarter of $28 million but a lot of that was down to drastic cost cutting, not business growth. Revenues were $660 million down from $976 million a year before. While the company is intent on pushing ahead with its hardware business — this month announcing the global rollout of the BlackBerry Leap — it’s betting hard on software as a second revenue stream that will help it serve users on other platforms apart from its own.

It’s still a very small business for the company, however. In Q4 software sales were only $67 million, even if that was up 20% on a year before.

Israel, where a lot of engineers first cut their teeth on security at the Israeli Defense Forces, is well known for its enterprise and security-focused startups. BlackBerry will not be the first business to build up their security R&D presence in the country through acquisition. Others have included PayPal (which acquired CyActive earlier this year); IBM (which acquired Trusteer in 2013); and Microsoft (which bought Aorato in 2014).

To date, BlackBerry has made 24 acquisitions, with security-focused buys including Certicom (which counts the NSA as a customer) and Secusmart.

Via: techcrunch

Hotel management firm White Lodging Services Corp has suffered a data breach, roughly a year after a previous data breach.

The latest breach was a malware attack against point-of-sale (POS) systems at 10 hotels. Customer data at risk includes names, payment card numbers, card security codes, and expiration dates.

Affected locations are as follows:

• Indianapolis Marriott Downtown, Indianapolis, IN
  
• Chicago Marriott Midway Airport, Chicago, IL
  
• Auburn Hills Marriott Pontiac at Centerpoint, Pontiac, MI
  
• Austin Marriott South Airport, Austin, TX
  
• Boulder Marriott, Boulder, CO
  
• Denver Marriott South at Park Meadows, Denver, CO
  
• Louisville Marriott Downtown, Louisville, KY
  
• Renaissance Boulder Flatiron, Broomfield, CO
  
• Courtyard Austin Downtown, Austin, TX
  
• Sheraton Hotel Erie Bayfront, Erie, PA
  

In a press release announcing the breach, White Lodging says: “Guests who used or visited the affected food and beverage outlets during the seven month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.”

The press release continues: “After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services. These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.”

White Lodging Services is offering the usual free credit reporting services that organizations offer when a breach happens. I’m not sure how much confidence I’d have in using one of the hotels managed by White Lodging Services, though, and I’m sure many other customers feel the same.

Via: itgovernanceusa

Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year.

The findings are based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.

According to Verizon’s 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, the top five affected industries by number of confirmed data breaches were: public administration, financial services, manufacturing, accommodations and retail.

Humans were again the weak link that led to many of the compromises. The data shows that phishing—whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites—remains the weapon of choice for many criminals and spies.

For the past two years, over two-thirds of cyberespionage incidents involved phishing, the Verizon team said in its report. Hundreds of incidents from the crimeware section have also included the technique in their event chain, they said.

The data showed that 23 percent of phishing email recipients are open the messages and 11 percent of them click on the attachment inside. A small phishing campaign of only 10 emails comes with an over 90 percent chance that at least one person will become a victim, the Verizon team said.

The time window for organizations to react to such attacks is very small, with the median time from when an email is sent to when the first user clicks on the link inside being just one minute and 22 seconds. Sanctioned tests have showed that nearly half of the users who end up opening phishing emails and clicking on links do so within the first hour.

Employees of certain business departments are more likely to fall victim to phishing attacks than others. Workers in departments like communications, legal and customer service are at greater risk because opening email is a central component in their jobs, so companies will probably want to start security awareness training with them.

Ironically, while users are the problem, they can also be the solution to phishing. If trained properly, they can become a network of human sensors that are better at detecting sophisticated email attacks than any technology.

As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.

Credentials were the second most common type of record after bank information that was stolen by crimeware—malware attacks that don’t fall into more specific categories like cyberespionage. However, many stolen credentials are later used to compromise bank records, so they’re likely under-represented in the statistics, according to the Verizon team.

Weak or stolen credentials are also the leading cause of point-of-sale compromises and account for over 50 percent of breaches involving Web applications. As such, companies should strongly consider implementing two-factor authentication mechanisms wherever possible.

In this year’s report Verizon has again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.

It then established relationships between those attack categories and various types of threat actors and targeted organizations. As such, readers can learn that hacktivists favor Web application attacks (61 percent) and denial-of-service attacks (31 percent) while organized crime groups favor crimeware (73 percent) and Web application attacks (20 percent).

Companies in the accommodation, entertainment and retail sectors are more likely to be the victims of point-of-sale intrusions, while those in the financial services sector are more likely to be targeted with crimeware and Web application attacks.

Healthcare institutions are likely to suffer security incidents as a result of errors (32 percent) or privilege misuse (26 percent). Otherwise, cyberspies most frequently target organizations in the manufacturing, professional and information sectors.

As such, companies should prioritize defenses based on the threats they’re most likely to face, which, perhaps surprisingly, are almost never mobile-based, according to Verizon.

Data shared for the report by mobile carrier Verizon Wireless, which monitors its network for signs of malware, revealed hundreds of thousands of potential infections. However, it turned out most of them were of the annoying advertising variety.

“An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network—were infected with ‘higher-grade’ malicious code,” the Verizon team said.

This echoes a recent report from Google, which found that under 0.1 percent of devices that only allow the installation of apps from Google Play had a potentially harmful application installed. Kindsight Security Labs, a security division of Alcatel-Lucent now called Motive Security Labs, reported a 0.68 percent mobile infection rate for the second half of 2014.

“Mobile devices are not a theme in our breach data, nor are they a theme in our partners’ breach and security data,” Verizon said. “We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone.”

Mobile devices should not be ignored, because they can be vulnerable to attacks and can pose risks to enterprise networks, the Verizon team said. However, for now hackers seem to favor other attack methods that don’t involve smart phones, so companies should focus on those, while striving to gain visibility into mobile devices in case the threat landscape shifts in the future.

For example, one thing companies should pay closer attention to is patching. Data from Verizon partner Risk I/O showed that just 10 vulnerabilities, some of them dating back to late 1990s and early 2000s accounted for almost 97 percent of all exploitation attempts.

At first glance this is encouraging, because everyone should have patches in place for those flaws by now. However, when looking at the total number of vulnerabilities that were targeted in 2014, a much darker picture emerges: attackers started exploiting half of them less than a month after they were publicly disclosed. Moreover, the patching window might actually be shorter because the time lines in the Verizon report are based on when the exploits were first detected; and there’s always a lag between the actual launch of an attack and when it’s first detected.

“These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner,” the Verizon team said.

Via: networkworld

Ugh. They sit in stacks in my desk drawer. I know they’re there, but I refuse to acknowledge them until I absolutely can’t ignore them anymore, like an ex who shows up at a party.

I’m talking about the piles of expense receipts and snarls of business cards that trail me throughout my professional life — perhaps the last holdout of the analog age. The sad thing is that I know taking the time to organize them would offer great returns. But the task of having to scan documents and manually enter information is so tedious and time-consuming that I’d rather deal with them jamming my drawers and stuffing my wallet than actually doing something about them.

Understanding that this is a pain point for many people, Evernote has launched a new app called Scannable. Using your smartphone’s camera, Scannable captures and digitizes various paper documents, which you can then save to a specified location or share with others.

So what makes Scannable better than the dozens of other document-scanning apps out there, like CamScanner, Doc Scan and Jot Not? Evernote says the difference between Scannable and the competition is its speed and simplicity. (It’s also free.)

In my testing, I found this to be true, and with my iPhone 5, I managed to scan several dozen business cards, a handful of documents and about 20 receipts.

But the app may be a little too limited for some people. First, it’s only available for iOS 8 devices. The company says it wants to work on perfecting the iOS app before moving onto other platforms, like Android.

There are no document collaboration tools, and you can’t add notes to scanned business cards from within the app. So if you need these things, this isn’t the app for you.

Bonnie Cha for Re/code

But if you’re looking for a quick and easy solution to digitize paperwork, I’d recommend Scannable. I should also note that while Scannable can connect with Evernote’s note-taking and archiving app, an account is not required to use it.

Once you install the app, you can start scanning documents immediately. As you begin using the different functions, the app may ask for permission to access your contacts, calendar, Evernote, LinkedIn and other social networking accounts, giving you the opportunity to link them if you want. (You can view Evernote’s privacy policy here for more information on the type of data it collects and why.)

The app scans various types of documents, including letters, receipts, business cards and Post-it notes. Unlike some of its competitors, Scannable doesn’t require that you align the edges of the document with rulers, tap the screen to focus, or press a capture button to start scanning. It does its best to automate that whole process.

I started with documents and receipts. You just point your iPhone or iPad’s camera at the document, and Scannable handles everything from detecting the image and cropping and adjusting brightness to converting it into a high-quality digital copy — all within a few seconds. If the app has a problem recognizing a document, you can switch to manual mode and capture it yourself.

In my experience, Scannable was quick and reliable. I used CamScanner and Doc Scan to scan a few different documents to see how they compared in speed — Scannable was easier and faster.

I was also impressed with the quality of scans. The app does best when you place the document on a contrasting background and with decent lighting. But even when I tried it in dimmer environments or against various backgrounds, Scannable did a good job of producing a readable document. Files can be saved either as JPGs or PDFs.

Bonnie Cha for Re/code

Once you have the scanned document, you can continue scanning, or tap on it for more options, such as renaming or sharing it. There are also shortcuts to export a file to iCloud, Google Drive, Evernote, your camera roll and more.

I thought one of the smartest features of the app was the ability to share scanned documents with meeting attendees. If you’ve given Scannable access to your calendar, it knows when you’re in a meeting and will automatically populate an email with all the attendees’ addresses if you want to share a document with them. But as I mentioned before, there are no built-in collaboration or editing tools, so you can’t mark them up with notes or make changes once you’ve captured an image.

Scannable was a little more powerful when it came to scanning business cards. It can pull details from the card — phone number, address, email, title, even a LinkedIn profile if available — and convert that into a digital contact card that you can add to your address book or export to Evernote.

For me, this is the killer feature of Scannable. I meet with a lot of people in my line of work, and I always mean to add their information to my digital Rolodex after I get their business cards. Instead, the cards end up shoved in notebooks or my desk. Then I curse myself when I can’t find someone’s information. Scannable made quick work of digitizing stacks of collected cards.

But it wasn’t without problems. I ran into multiple issues when scanning nontraditional business cards, like those printed on dark backgrounds, using hard-to-read fonts, or of non-standard size.

For example, Scannable couldn’t pull any information from a couple of cards printed on plastic. Also, a cursive “k” on a business card was translated as an “h” in the app, and the angle brackets on my business card created errors in the name field. You can correct mistakes before saving to another location, but you can’t add new fields.

One other key feature I’d like to see is the ability to assign notes or tags within the Scannable app. I work with a lot of public relations companies that represent numerous clients, so it would be nice if I could add just a brief note to say, “this contact represents company X.”

Evernote said this has been a frequently requested feature, so it may roll it out in a future update. The company is also working on improvements for capturing information from cards of different layouts and sizes.

Evernote Scannable may not be the most feature-rich document scanning app, but it’s simple, fast, and one of the best free solutions for helping you go paperless.

Via: recode

According to a collection of leaked Sony emails and documents, the popular television showDoctor Who is projected to be made into a Hollywood blockbuster in the next few years.

In a leaked email sent to Sony Pictures Entertainment chief executive Michael Lynton, president of international production Andrea Wong reveals that she spoke to Danny Cohen, the director of BBC Television, regarding the concept.

Wong states that the show’s runners are “very hot under the collar” and would rather wait until another time for the movie to be made.

Even so, the Doctor Who team is developing an 8-year timeline for the show, which will include a feature-length film.

This announcement is just one of the many revelations gleaned from WikiLeaks’ database of30,287 documents and 173,132 emails leaked from Sony Pictures Entertainment (SPE).

In November of last year, a group called the Guardians of Peace (#GOP) compromised systems on Sony’s network and posted the links to a collection of stolen documents, including financial records and the private keys to Sony’s servers.

After movie theaters across the United States received threats from the hackers if they chose to show the film “The Interview,” a comedy that revolves around an assassination plot of the North Korean leader Kim Jong-Un, the FBI announced that the North Korean government had been responsible for the hack in early December.

Despite the hack’s negative consequences, SPE’s third quarter earnings revealed that the attack did not cause as much damage as originally expected.

Julian Assange, the editor-in-chief of WikiLeaks, feels that it is important to make the database of leaked Sony documents available to the public.

“It is newsworthy and at the center of a geopolitical conflict,” he wrote of the archive. “It belongs in the public domain. WikiLeaks will ensure it stays there.”

SPE does not agree, however.

“The cyber-attack on Sony Pictures was a malicious criminal act, and we strongly condemn the indexing of stolen employee and other private and privileged information on WikiLeaks,” said a spokeswoman, in a statement emailed to FoxNews.com.

“The attackers used the dissemination of stolen information to try to harm SPE [Sony Pictures Entertainment] and its employees, and now WikiLeaks regrettably is assisting them in that effort.”

To read a press release on the database of leaked Sony documents, please click here.

Via: tripwire

A new dark web market has appeared, focused on the selling of 0-day exploit code. The market is called “TheRealDeal Market,” and although still in its infancy, there are already a few exploits listed.

One exploit claims to target the recent MS15-034 Microsoft IIS Remote Code Execution vulnerability and comes with reverse shell and research information associated with it.

According to the developers of the TheRealDeal:

“This market was created after years and dozens of websites claiming to sell privileged information and zero-day code, while always turning out to be a scam.”

There are additional exploits for a remote database object in iCloud, as well as Android, WordPress and others. There is no way to verify that the exploits are real at this time.

In addition to exploits, the site is also selling information on financial fraud, RATs, drugs and weapons you would see on a typical dark net market.

The site charges a 3 percent transaction fee, with a number of measures implemented to try and mitigate fraud through the use of multi-signature escrow transactions. The multi-signature model involves the buyer, seller and admin, and the transaction needs to be approved by two of the three parties before funds are transferred.

At this point, there is no way to verify if the exploits are real without buying and testing the exploits, but it is something we will be watching to see if the market grows and the exploits are real.

Via: tripwire

If you have a wireless key fob for a car with a remote keyless system, then you might want to start keeping your keys in a freezer or other Faraday Cage to protect it from high-tech thieves, who can use a $17 power amplifier to break into your vehicle.

Cars with keyless entry systems are capable of searching for a wireless key fob that is within a couple feet of the vehicle, but car thieves can use a $17 “power amplifier” to boost the key searching capabilities, sometimes up to around 100 meters, and pull off a high-tech car break-in.

After almost becoming a victim of a high-tech car heist again, Nick Bilton over at The New York Times said he is now keeping the keys to his 2013 Prius in the freezer. There had been a rash of mysterious car break-ins near his Los Angeles address, including three break-ins to his own car; all cars involved had remote keyless systems that come with a wireless key fob which is used to unlock the doors and start the engine instead of using a physical key.

Recently, he was looking out his window and saw a girl hop off her bike and pull out “a small black device from her backpack. She then reached down, opened the door and climbed into my car.” He ran outside and the girl split, but he was curious about the black device she used to open his Prius.

He called Toyota but got no useful info; the LAPD blew it off and told him that he must have forgotten to lock his car. However, he scored when he found a Toronto Canada Police public safety alert warning about “a spike in theft of Toyota and Lexus SUVs” that left no signs of physical damage at any of the crime scenes.

The Toronto Police alert said, “Investigators believe that the suspect(s) may have access to electronic devices which can compromise an SUV’s security system.” It urged “the public to be vigilant when securing their SUVs, even in their driveways. Using a locked garage is recommended and any spare keys for SUVs should be secured in a safe location.”

Bilton contacted a security researcher at the Institute of Electrical and Electronics Engineers Public Visibility Committee, who said “some sophisticated thieves have laptops equipped with a radio transmitter” and use brute force attacks to find the correct and unique code of a car’s key fob.

He found articles from 2012 about how car thieves took only three minutes to steal keyless BMWs by exploiting “features,” before discovering an article about thieves using a “mystery device to unlock vehicles.”

Finally, he got answers from Boris Danev, the founder of Switzerland-based 3DB Technologies. The girl most likely used an inexpensive “power amplifier” to break into Bilton’s Prius.

Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.

“It’s a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, ‘hello,’ ” Mr. Danev said. “You can buy these devices anywhere for under $100.” He said some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist.

What’s the best way to protect your vehicle if it has a keyless entry system? The best way, Danev told Bilton, is to “put your keys in the freezer, which acts as a Faraday Cage, and won’t allow a signal to get in or out.”

Via: networkworld

Point-of-Sale (PoS) terminals have become an attractive target for hackers over the past year, reflected in the increasing number of RAM-scraping programs that steal payment card information from the memory of such systems.

Last month security researchers from Cisco Systems issued a warning about a new PoS threat dubbed PoSeidon and on Wednesday security blogger Brian Krebs reported that the program has already infected PoS terminals at restaurants, bars and hotels in the U.S.

Security researchers from Trustwave now warn that during a recent investigation with the U.S. Secret Service, they’ve uncovered yet another RAM-scraping PoS threat they’ve named Punkey.

This new malicious program, that has at least three variants, is very similar to another family of PoS malware known as NewPosThings. The similarities suggest the two families are based on the same source code, but Punkey has enough differences to make it unique.

Punkey has versions for both 32-bit and 64-bit Windows-based PoS terminals and in addition to stealing payment card data while it’s being processed, it also installs a keylogger to capture what employees type on such systems. 

The malware injects itself into the Windows explorer.exe process and creates registry start-up entries to ensure its persistence. It also drops a file called DLLx64.dll which is the keylogger component.

All payment card details and keystrokes captured by the malware are first encrypted with AES (Advanced Encryption Standard) and are then sent back to a command-and-control (C&C) server.

The malware can also download and execute other malicious files, including updates for itself.

“This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation,” the Trustwave researchers said in a blog post. “This is a rare feature for POS malware.”

Trustwave created a tool that can decrypt Punkey traffic and published it on GitHub. This could help PoS terminal owners identify Punkey traffic on their networks.

In its annual Data Breach Investigations Report released this week, Verizon Enterprise Solutions noted a significant increase in the number of PoS RAM scraping attacks. In fact, PoS intrusions were one of the top three causes for confirmed data breaches last year according to the company.

The trend appears to have continued this year. Between PoSeidon last month and Punkey now, malware researchers also found other PoS malware threats: new variants of NewPosThings and a program called FighterPOS that infected over 100 organizations in Brazil.

Via: networkworld

Banks and financial institutions lack stronger security measures when it comes to doing business with third-party vendors, according to a recent report.

On Thursday, the New York State Department of Financial Services (NYDFS) revealed that about one in three banks currently do not require third-party vendors to notify them when a data breach or intrusion occurs.

The survey, conducted by the NYDSF, was comprised of 40 regulated banking organizations in an effort to gain insight on their due diligence processes, policies and procedures with third-party vendors, as well as protections for safeguarding sensitive data.

Other key findings outlined in the report included:

• Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors.
  
• Approximately one in five banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors.
  
• Nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data and products are free of viruses).
  

“A bank’s cyber security is often only as good as the cyber security of its vendors,” said DFS Superintendent Benjamin Lawsky, who referred to the report findings as an “urgent matter.”

“Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data.”

As a result of the findings, the NYDSF announced it plans to move legislation forward to enhance its oversight of third-party vendors that serve the banking sector, including check and payment processors, trading and settlement operations, as well as data processing companies.

Via: tripwire