Monthly Archives: September 2017

Signal tests new, more secure feature

The nonprofit behind Signal, Open Whisper Systems, is launching a new effort to make the encrypted messaging app even harder to crack.

The organization is testing a feature that will allow users of the app to look through their address books to make encrypted calls and texts, without the app having access to a user’s contacts, reports Wired. Members of the security and cryptography communities have said that Signal accessing users’ address books conflicts with the app’s promise of near-total security.

“When you install many apps today you get this little prompt that asks if you want to give someone access to your contacts. You get an uncomfortable feeling in that moment,” Moxie Marlinspike, the founder of Open Whisper Systems and Signal’s creator, told Wired. “This is an experiment in letting you not have that uncomfortable feeling.”

Open Whisper is developing a new method in which its servers mine users’ contacts to find other Signal users, while deleting the rest of the contact data, before it ever touches the nonprofit’s servers.

The company reportedly plans to rollout the feature to users within the next several months.

The new method makes use of a new Intel processor feature called Software Guard Extensions, which have a “secure enclave” in their processors that run an unalterable code. Open Whisper wants to run users’ address books through this enclave instead of their own servers, meaning that Signal could provide contact information for other users on Signal without ever actually seeing their contacts.

The new method is still just a test, but if it is successful, it could make Signal even more secure.

 

via:  thehill

Oculus will start refunding users for bad VR content

Oculus wants people to keep buying VR content, but one bad experience with an overpriced piece of crap game can rub a user the wrong way.

Today, the company announced that they’re putting formal processes in place for users to get refunds for VR content that didn’t meet their expectations.

There are obviously stipulations, the major one being that for Rift titles you must have purchased the titles within the last two weeks and can’t have dropped more than two hours into it. For Samsung Gear VR content, it’s a lot tighter. Users can’t exceed 30 minutes of playtime and have to have purchased the title within the past three days. The refund policy also will not apply to movies, bundles or in-app purchases.

Users can request refunds through the purchase history page.

People have been saying VR has a problem with content quantity and quality, and while the former definitely appears to be getting solved as time goes on, the latter is a bit trickier. It isn’t in anybody’s best interest for people to download a game, have an awful experience and then grow discouraged from investing in future content. For Oculus, the content team has to get people comfortable with paying for high quality stuff.

Nevertheless this is all a bit complicated for developers. Users who drop $20 on a title expecting what they’d get from a comparable console game are never going to be pleased with VR. The market is so much smaller that unless devs have substantial VC subsidization, the margins aren’t going to allow them to basically give away content their teams labored away on. I would expect some backlash from developers, especially regarding the length of time users can play a game before deciding they don’t want to keep it.

The new refund policy is live now, the company details that the process should take no more than five days to initiate a refund if the request is eligible.

 

via: techcrunch

Whole Foods Investigates Card Breach

Whole Foods has expanded its 365 network to Los Angeles with a new opening in the Silver Lake neighborhood.

Whole Foods Market is the latest company that has suffered a security breach, with the national supermarket chain revealing that its customers’ payment card information has been illegally accessed.

The information in question was used at taprooms and full-service restaurants located within some stores. These venues use a different point of sale (POS) system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected.

The company said that once the breach was discovered, it launched an investigation, hired a leading cybersecurity forensics firm and contacted law enforcement. Whole Foods is assuring customers that it is taking appropriate measures to address the issue.

Whole Foods was acquired by Amazon earlier this year, but the Amazon systems do not connect to the systems at Whole Foods Market, and transactions on the eCommerce giant’s site have not been impacted.

The investigation is ongoing and Whole Foods will provide additional updates as it learns more. While most stores do not have these taprooms and restaurants, the company is encouraging customers to closely monitor their payment card statements for any unauthorized charges.

This is just the latest payment security breach consumers need to worry about, with the biggest being Equifax’s massive hack that has impacted about 143 million Americans.

 

via:  pymnts

Hertfordshire pilots NHS Digital’s Raspberry Pi telehealth kit

Hertfordshire Community NHS Trust becomes first healthcare provider to trial open source telehealth system originally developed by NHS Digital using Raspberry Pi devices.

Hertfordshire Community NHS Trust has launched a pilot using a telehealth system created on a Raspberry Pi to monitor patients at home.

The trust is the first to trial the telehealth kit, called MediPi, which was created by NHS Digital in 2016.

The project is led by clinicians at Hertfordshire, and involves giving patients basic medical devices, such as blood pressure cuffs, finger oximeters and diagnostic scales, which connect to a touchscreen tablet running the MediPi system either via Bluetooth or USB.

The measurements from the devices are sent directly to the MediPi system through a secure and interoperable messaging functionality.

Last year, Richard Robinson, a technical integration specialist at NHS Digital, told Computer Weekly that the software is built on JavaFX, which means it’s platform agnostic and doesn’t necessarily need to run on Raspberry Pi.

“We’ve taken a very simple approach where we take all the data from the device and send it over raw,” he said.

“Each of the bits of the data can be encrypted separately so they can only be seen by the recipient they’re intended for. Currently, we’re sending it using an NHS Spine message, but while MediPi can use Spine messaging, it’s also able to use other sorts of messaging. We envisage a secure network we can send the messaging across.”

According to NHS Digital, the Hertfordshire pilot currently has around 50 participants signed up, with between 10-15 devices already transmitting data.

“The measurements are also being taken by clinicians during this pilot phase to measure the accuracy of the devices’ transmissions,” NHS Digital said.

The centre developed a MediPi prototype last year as a response to the numerous expensive telehealth kits out there, wanting to prove it could be done cheaper without compromising functionality or security. It runs on both open source hardware and software.

The MediPi tablet has a simple interface using a tile dashboard for easy interaction. Each tile represents a device, such as the blood pressure cuff, and also has a quick “yes” or “no” questionnaire for patients to fill out.

The system has three main clinical applications focusing on heart failure, COPD and diabetes, according to its Github page.

 

via:  computerweekly

Microsoft finally starts doing something with LinkedIn by integrating it into Office 365

Last year, Microsoft bought LinkedIn for $26.2 billion, but even though the acquisition has long closed, Microsoft hasn’t yet done much with all of the data it gets from the social network. At its Ignite conference in Orlando, Florida, the company announced some first steps in integrating LinkedIn’s social graph with its Office products.

Now don’t get too excited yet. What we’re talking about here is the integration of LinkedIn data with Office 365 profile cards. So assuming you don’t know much about your professional contacts and colleagues yet, you can now see more information about them right in Office 365 without having to go to their LinkedIn profiles (and potentially showing up as that one person who looked at their LinkedIn profile that week, which will surely trigger yet another LinkedIn email for them).

As Microsoft spokesperson Frank X. Shaw noted during a press briefing ahead of the event, the idea behind integrating the Microsoft Graph and the LinkedIn Graph is about creating a more modern workplace. “This will result in experiences like having LinkedIn content integrated with the Office 365 profile card,” he said. “So for example, before you go into an interview, information about that person from LinkedIn will show up in their contact card inside your Outlook Calendar in Office 365.”

All of this sounds a bit like Microsoft spent $26.2 million to save you a click. But there is more. Soon, Dynamics 365 for Sales, Microsoft’s CRM solution, will get the same profile integration and its users will be able to send LinkedIn InMails and messages directly from within Dynamics. Do I hear you saying that this is evidence that sometimes dreams really do come true? Well, yes, indeed. They do.

image

image

 

via:  techcrunch

Mac OS passwords at risk of theft, researcher warns

Some Apple Mac users are at risk of password theft due to a zero-day vulnerability discovered in some versions of the operating system.

A vulnerability in High Sierra and earlier versions of Mac OS can be exploited to steal plaintext passwords stored in the Mac keychain, according to security researcher Patrick Wardle.

Although the Mac keychain digital vault is designed to allow access to applications only if the user enters a master password, Wardle discovered a vulnerability that allows rogue apps access to steal passwords.

Wardle, a researcher at security firm Synack and a former US National Security Agency (NSA) employee, posted a video online to support his claim.

The video shows how an attacker on a remote server running the Netcat networking utility can use a rogue app to upload all the passwords stored in a Mac keychain.

The video shows the password theft can be carried out without any user interaction beyond installation of the rogue app and without any warnings from the Mac OS or call for the master password.

Wardle notified Apple of his discovery, but decided to go public after Apple released High Sierra without patching the vulnerability.

Apple said in a statement: “Mac OS is designed to be secure by default, and Gatekeeper [Mac OS security feature] warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.

“We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that Mac OS presents.”

However, for just $99 a year, attackers could join the Apple Development Program, which would allow them to sign apps with embedded functionality to steal passwords.

Although Apple has a bounty program that pays as much as $200,000 for security vulnerabilities in iOS that runs iPhones and iPads, the company does not have a similar program for Mac OS.

Earlier this month, Wardle blogged about another zero-day vulnerability in High Sierra’s SKEL (secure kernel extension loading) feature that enables attackers to bypass the security feature.

“Unfortunately, when such ‘security’ features are introduced – even if done so with the noblest of intentions – they often just complicate the lives of third-party developers and users without affecting the bad guys (who don’t have to play ‘by the rules’),” he wrote. “High Sierra’s SKEL’s flawed implementation is a perfect example of this.

“Of course, if Apple’s ultimate goal is simply to continue to wrestle control of the system away from its users, under the guise of ‘security’, I’m not sure any of this even matters.”

 

via:  computerweekly

Breach at Fast Food Chain Sonic Could Impact Millions

Sonic Drive-In, a fast food restaurant chain with more than 3,500 locations across the United States, has apparently suffered a data breach that may have resulted in the theft of millions of payment cards.

The company confirmed that it has launched an investigation, but it has not provided any information on the possible number of affected restaurants and customers.

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC,” Sonic said in an emailed statement. “The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Security blogger Brian Krebs reported on Tuesday that his sources in the financial industry had noticed a pattern of fraudulent transactions involving cards used at Sonic.

According to Krebs, a cybercrime marketplace specializing in payment cards, called “Joker’s Stash,” is selling a batch of 5 million cards, at least some of which appear to come from Sonic. The investigative journalist pointed out that the 5 million records could be originating from multiple companies whose systems have been breached by the same cybercrime group.

Cybercriminals typically rely on point-of-sale (PoS) malware to steal payment card data from merchants. The stolen data can be used to physically clone the cards, which can then be used to purchase high-value items that can be turned into a profit.

The credit and debit card data offered on Joker’s Stash is sold for $25-$50 and is advertised as “100% fresh.” This suggests that the cards were obtained recently and issuers did not get a chance to cancel them.

The cards are indexed based on city, state and ZIP code, allowing fraudsters to acquire only ones from their area, making it less likely to trigger any alarms when the cards are used to make fraudulent purchases.

“Will customer loyalty be shaken? If the past as with the Wendy’s breach is prologue, then the answer is a qualified maybe, and if so, then only slightly. However, this – coupled with the tsunami of recent breaches – might just be the game changers that lead US Federal authorities to better protect the data collection, processing and storage of customer data,” said Robert W. Capps, VP of Business Development at NuData Security.

“Like Wendy’s, Target and an alarming number of other major data breaches, the Sonic breach is bound to be a painful reminder that personal data is an irresistible target, no matter how diligent any company’s efforts are in data protection,” Capps added. “Until PII data is rendered worthless by advanced authentication such as passive biometrics, consumers will continue to suffer the consequences of industry and legislative inaction.”

The list of major restaurant chains that informed customers of a payment card breach in the past year includes Wendy’s, Cicis, Arby’s, Chipotle, Shoney’s, and Noodles & Company.

 

via:  securityweek

Slap your apps on this Dell-flavored testing server before tossing them on Azure Stack

Collaboration with NTT Comm creates data center safe space.

Dell and cloud managed services provider NTT Communications have launched a specialized server that lets IT departments test apps for Microsoft’s Azure Stack.

As an on-premises version of Azure, Redmond’s new platform is designed to reduce cloud-native app latency while better addressing sovereignty and security, à la VMware’s offerings.

While you could order Azure Stack on Dell servers today, naturally it is “highly recommended” to check and see whether your applications are compatible first.

With the new testing server, IT departments can do exactly that. Well, at least for “non-production virtual workloads at limited scale,” NTT said.

For a “low” fee covering engineering services and rented runtime, customers get to test their apps on a node server in an NTT data center. If they later decide to sign up for NTT’s managed Azure Stack solutions, the testing fee is refunded.

It’s “particularly worth considering if one of your objectives for implementing Azure Stack includes re-platforming one or more existing critical applications,” Dale Vile, CEO and research director at Freeform Dynamics, told The Register, and it may indeed “accelerate adoption of Azure stack critical workloads.”

But it’s “not going to be right for everyone,” he said.

If you’ve committed to Azure Stack, then instead of paying for NTT’s platform, “you may be better off just biting the bullet, putting the environment in place in your own data center, then managing the testing in house,” he added.

 

via: theregister

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’.

Yes, that’s Gartner’s security consultancy of the year.

News that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident.

Now evidence suggests it’s no surprise the biz was infiltrated: it appears to be all over the shop, security wise.

The next day, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.

We were tipped off to these pages by an eagle-eyed reader, and grabbed a couple of screenshots of the potentially offending data:

Screenshot of some of the alleged VPN details for accessing Deloitte’s network that leaked onto GitHub – we’ve censored what looks like passwords

Screenshot of a portion of the Google+ page with Deloitte proxy login information

On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.

“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”

For example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation. Other cases show IT departments using outdated software, and numerous other security failings.

Here’s an example system with NetBIOS open:

image

Here’s what appears to be an Active Directory server with RDP open…

image

 

…complete with administrative users and, if you look closely, Windows Updates still pending:

image

 

And as other infosec experts have spotted, plenty of other stuff is sitting online, searchable using Shodan, waiting to be prodded by miscreants and other curious minds:

View image on TwitterView image on TwitterView image on Twitter

image

 

These systems could be used as crucial footholds for hackers into the consultancy giant’s internal networks.

The Google+ page appeared to show that a Deloitte employee has been writing down VPN access controls on his personal page in full view of everyone. Using Google’s vaunted search facilities, a hacker could easily find enough information to launch an attack with a good chance of success.

All this is embarrassing for Deloitte, which billed itself as the top IT security consultancy in the industry. The firm makes millions selling its tech guru services to others for a hefty price – and yet seems to ignore potentially gaping holes in its own IT infrastructure.

The details now emerging are also rather embarrassing for analyst firm Gartner, which in June named Deloitte the world’s best IT security consultancy for the fifth year in a row. Gartner has yet to respond to a request for information on how its conclusion was reached.

It doesn’t help that Deloitte isn’t much liked by other security researchers for its business practices. The firm has a reputation for low-balling contractors on fees – particularly for penetration testing – and the schadenfreude of Deloitte being so bad at its own security has delighted some.

image

 

“Between Equifax and Deloitte, starting to see though the tissue paper of corporate America’s security industry companies making huge claims, when in reality it’s a whole bunch of hypocrites,” said Tentler.

“You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might consider using that talent on its own infrastructure.”

 

 

via: theregister

Deloitte Breach Affected All Company Email, Admin Accounts

Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

deloitte

In a story published Monday morning, The Guardian said a breach at Deloitte involved usernames, passwords and personal data on the accountancy’s top blue-chip clients.

“The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached,” The Guardian’s Nick Hopkins wrote. “The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was ‘impacted’ by the hack.”

In a statement sent to KrebsOnSecurity, Deloitte acknowledged a “cyber incident” involving unauthorized access to its email platform.

“The review of that platform is complete,” the statement reads. “Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that only very few clients were impacted [and] no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”

However, information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.

This source, speaking on condition of anonymity, said the team investigating the breach focused their attention on a company office in Nashville known as the “Hermitage,” where the breach is thought to have begun.

The source confirmed The Guardian reporting that current estimates put the intrusion sometime in the fall of 2016, and added that investigators still are not certain that they have completely evicted the intruders from the network.

Indeed, it appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States. The notice stated that employee passwords and personal identification numbers (PINs) needed to be changed by Oct. 17, 2016, and that employees who failed to do so would be unable to access email or other Deloitte applications. The message also included advice on how to pick complex passwords:

A screen shot of the mandatory password reset email Deloitte sent to all U.S. employees in Oct. 2016, around the time sources say the breach was first discovered.

A screen shot of the mandatory password reset message Deloitte sent to all U.S. employees in Oct. 2016, around the time sources say the breach was first discovered.

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

In its statement about the incident, Deloitte said it responded by “implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte.” Additionally, the company said it contacted governmental authorities immediately after it became aware of the incident, and that it contacted each of the “very few clients impacted.”

“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” the statement concludes.

Deloitte has not yet responded to follow-up requests for comment.  The Guardian reported that Deloitte notified six affected clients, but Deloitte has not said publicly yet when it notified those customers.

Deloitte has a significant cybersecurity consulting practice globally, wherein it advises many of its clients on how best to secure their systems and sensitive data from hackers. In 2012, Deloitte was ranked #1 globally in security consulting based on revenue.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company based in the United Kingdom. According to the company’s Web site, Deloitte has more than 263,000 employees at member firms delivering services in audit and insurance, tax, consulting, financial advisory, risk advisory, and related services in more than 150 countries and territories. Revenues for the fiscal year 2017 were $38.8 billion.

The breach at the big-four accountancy comes on the heels of a massive breach at big-three consumer credit bureau Equifax. That incident involved several months of unauthorized access in which intruders stole Social Security numbers, birth dates, and addresses on 143 million Americans.

This is a developing story. Any updates will be posted as available, and noted with update timestamps.

 

via:  krebsonsecurity