September 1, 2014

Target CEO resigns five months after data breach revelation

Target_logoAt the end of December last year, during one of the busiest shopping seasons, the US retailer Target revealed that payment details from up to 40 million credit cards had been stolen after being used on  card-swipe machines at 1,797 of its stores.  The attack started just before Black Friday and continued for about two and a half weeks.

Five months on from the announcement of the data breach, Target’s board of directors has decided to remove Gregg Steinhafel as chairman and chief executive, saying it wanted new leadership to help restore consumer confidence. The official text from the board of directors thanks Steinhafel for his “significant contributions and outstanding service throughout his notable 35-year career with the company” but blames the CEO directly for the data breach, “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable…” And now it looks like that accountability has lost him his job.

After the attack occurred details started to emerge that showed that Target could have prevented the attack. According to Bloomberg, Target had invested $1.6 million installing a malware detection tool from FireEye.

Target used a team of security specialists in Bangalore to monitor its network. On Saturday, Nov. 30, the hackers uploaded malware to Target’s network so that they could copy the stolen credit card details. FireEye spotted the malware along with some suspicious activity and the Bangalore team alerted their bosses in Minneapolis. But it appears that the security team in Minneapolis did nothing.

Since the breach, Target has faced at least 90 lawsuits and been forced to spend at least $61 million to settle them. According to Brian Krebs, Target does not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Krebs also estimates that the cyber criminals probably made somewhere around $53 million from the sale of stolen credit card details.

It is thought that details of up to 3 million cards were successfully sold on the black market and used before the issuing banks managed to cancel the whole batch of 40 million cards.

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

Forbes and Kickstarter breached in separate attacks

forbesHackers have recently breached two high profile sites and user credentials have been stolen. Forbes announced on its Facebook page that it was “targeted in a digital attack” and that the site was “compromised.” The result was that the hackers stole over 1 million account records. At around the same time Kickstarter also posted a blog entry reporting “that hackers had sought and gained unauthorized access” to some of its customers’ data.

The attack on Forbes.com seems to have been carried out by the Syrian Electronic Army (SEA). The hacktivists subsequently published a database of email addresses and passwords for 1,071,963 accounts. Forbes says that the passwords were encrypted, however the site “strongly encourage Forbes.com readers to change their passwords.” The disclosure notification went on to say, “The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks.”

Kickstarter found out about the breach to its systems when law enforcement officials contacted it and pointed out what the hackers had been doing. According to Kickstarter, “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”

However user account information including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were accessed. Kickstarter doesn’t actually say if it used a salt for its password encryption, however it does state that users should change their password as it is possible that “a malicious person with enough computing power” could guess and crack an encrypted password, particularly a weak or obvious one.

It looks as Forbes.com may have used the Portable PHP password hashing framework (phpass) and according to Sophos that means the passwords where hashed using a 6 byte random salt and 8192 iterations of the MD5 hash. The repeated use of the MD5 hash is there intentionally to stretch out the computation time needed for a brute force attack.

As is the norm, both sites are sorry and apologize for what happened and everyone is promising to tighten up security.

Malware used on point-of-sale terminals to steal details of 40 million credit cards

Target_logoA few days before Christmas the US retail giant Target revealed that payment details from up to 40 million credit cards could have been stolen after being used on  card-swipe machines at 1,797 Target stores.  The breach started just before Black Friday and continued for about two and a half weeks.

Target CEO Gregg Steinhafel revealed in a CNBC interview yesterday that the cyber-thieves stole the credit card numbers, CVV numbers and encrypted PIN codes of 40 million customers by installing malware into the  point-of-sale devices used in the Target stores. This same malware also allowed the thieves to take personally identifiable information, including postal addresses and phone numbers, on a total of 70 million shoppers.

At the time of the breach, Brian Krebs revealed that sources at credit card payment processing firms had told him about the data-stealing malware but this is the first time that the existence of the malware has been confirmed by Target itself.

“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”

The security breach was discovered on December 15th, but Target didn’t go public until December 19th. As a result the company is coming under increasing pressure to justify the four day delay in notifying its customers. According to Steinhafel  the sequence of events from the 15th were as follows:

  • Day 1 – Breach discovered and malware removed from POS registers.
  • Day 2 – Initiating the investigation work and the forensic work.
  • Day 3 – Setting up the call center and preparing store employees for customer queries.
  • Day 4 – Public disclosure.

Target was not the only US retailer to suffer a security breach in the run up to Christmas. Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be made publicly. According to people familiar with the situations these three retailers were attacked using similar techniques as the ones used on Target. There is speculation that the perpetrators of the Target attack may also be responsible for these other security breaches.

China suspected to be behind U.S. Army Corps of Engineers database hack

dam(LiveHacking.Com) – U.S. intelligence agencies are treating a recent cyber attack and subsequent intrusion into a database belonging to the U.S. Army Corps of Engineers as a cyber attack from China. According to the Free Beacon, U.S. intelligence agencies have traced the hack to the Chinese government or military cyber warriors.

The compromised database belonged to the U.S. Army Corps of Engineers and held data about dams. The National Inventory of Dams (NID) contains information on possible vulnerabilities of some 8,000 dams across the United States. In a worst case scenario the attack is a preemptive move by China in preparation for future cyber attacks against the nations electrical infrastructure.

“The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” said Pete Pierce, a Corps of Engineers spokesman.

Upon discovering the unauthorized access the Corps of Engineers revoked the user’s access to the database.

The database collects information about dams which are either large (those that exceed 25 feet in height or exceed 50 acre-feet storage) and those that have a hazard classification because of the loss of human life that would result if the dam failed. The database was started in 1972 when laws came into effect that required cooperation between the Corps and the Federal Emergency Management Agency. These laws were updated in 2002 and 2006 to recognize that dams are part of critical U.S. infrastructure and require protection.

In January, a report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, revealed that the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

Hackers breach externally hosted database used by UK’s Herfordshire Police

(LiveHacking.Com) – A website belonging to the UK’s Hertfordshire Police has been hacked and what appear to be login details, passwords and other details have been published online. The database for the Safer Neighbourhood Teams website, which was  externally hosted, held personal data including phone numbers and IP addresses that related to a number of officers.

In a statement given to the BBC, the Hertfordshire Constabulary said it was currently investigating the publication of information stored on a database linked to the public Safer Neighbourhoods pages of the external Constabulary website. And that the site has been temporarily disabled. “There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way.”

The hack seems to be have been motivated by the current plight of Wikileaks founder, Julian Assange. There has been a rise in the number of hacking attacks since the UK government said it would arrest and extradite Mr Assange if he left Ecuador’s embassy in London.  An “OpFreeAssange” banner was included with the database details that were posted online as well as a quote from the Wikileaks founder. However the hacker was also keen to point out that he wasn’t part of the infamous hacking Anonymous.

Catalin Cosoi, chief security researcher at Bitdefender, said to SC Magazine: “The unknown attacker extracted from the second breached website what appear to be police officers’ email addresses, passwords to those email accounts and a list of PINs probably employed as additional safety tools. Several user logs have also been made public, exposing a list of employee names and corresponding IPs that could be used in cyber crime operations requiring identification of a specific machine, containing a particular type of data.”

Questions are now being asked about why a Police force was using an externally hosted website. The problem with any third-party supplier is that their security practices and procedures are unknown and outside the control of the client, in this case a Police force. This attack highlights the need for anyone (including Public sector organisations) using external hosting to validate the security of the external service.

Philips Electronics Website Hacked, 200,000 Records Stolen

(LiveHacking.Com) – One of the largest electronics companies in the world, Philips Electronics, has been hacked. According to The Hacker News, the hackers defaced a Philips subdomain and left their names “bch195″ and “HaxOr” claiming to be members of Team INTRA.

The hackers posted information on the security breach on pastebin which itself contained links to the site privatepaste.com. These links are samples of the personal information the hackers have stolen including names, email addresses, occupation, date of birth, phone number and postal address.

Also the hackers commented that “This is first 100 emails from 200k list.I don’t want to share more because i will sell it.”

According to V3 , Philips is aware of the incident and has taken action to minimise its impact. Philips is following its standard security incident response procedure and is collaborating with law enforcement.

“Within an hour Philips became aware of the event, the compromised server was shut down. We are assessing the nature and extent of information that may have been accessed and a full investigation is in place,” they said.

This attack is another in a long list of very public security breaches and if the hackers have been able to steal over 200,000 records with personal details including postal addresses and phone numbers it potentially means the hackers could have gained further access to other Philips servers.

It is interesting to note that the hackers defaced a subdomain and not the main site. Hackers like to target smaller websites (even within a larger corporation) as these are often less well protected. This is what happened to Sony Pictures in 2011 when hackers breached an old competition website.

Dutch ISP KPN Security Breach

(LiveHacking.Com) – One of the largest ISPs in The Netherlands has shut down its email services after a security breach where hackers leaked the credentials and personal information of more than 500 of its customers.

KPN discovered the breach at the end of January but after consulting with the Dutch government and law enforcement agencies decided not to go public with the details. Once KPN discovered that account details were being posted online (at PasteBin) then it decided to suspend its email services as a precautionary measure. During Saturday email services resumed and KPN sent customers information on how to reset their password.

KPN has over two million customers and it is unclear if the hackers got access to information about all of these account or just the 500 posted online.

Unauthorized Activity Within One of DreamHost’s Databases Prompts Password Resets

(LiveHacking.Com) – DreamHost detected some unauthorized activity within one of its databases over the weekend. And as a precautionary measure it is forcing customers to change their Shell and FTP password. To do this users needed to access the DreamHost web panel and go to “Manage Users”, however the rush of customers wanting to protect their accounts left the web panel overwhelmed with intermittent access for about an hour before DreamHost managed to fix it.

According to DreamHost, its support team handled thousands of password related requests over the weekend and that all mandatory Shell & FTP password resets were completed Friday evening for shared hosting customers and by Saturday for its VPS customers

“Due to the fast action we took to reset passwords, we’re not seeing any unusual malicious activity on customer accounts. Our security software and systems are functioning normally.”

DreamHost subsequently posted a security update in which it revealed that the database was accessed using a zero day exploit however the intrusion detection systems alerted DreamHost’s security team who then identified the means of access and blocked it. After a quick review of the data potentially accessed it appeared that some customers’ FTP and shell access passwords were possibly compromised. This then prompted the hosting company to initiate a forced reset of FTP and shell access passwords.

When asked if DreamHost stores its password in plaintext, Simon Anderson CEO, DreamHost, replied “Our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).

Ashampoo Security Breach – Names and Email Addresses Taken

At the moment there seems to be a cyber crime wave and attackers are picking top names on the Internet to attack and hack. Recently servers at RSA were breached and then Epsilon was attacked. Now Ashampoo, the German software company best known for Ashampoo Burning Studio and Ashampoo WinOptimizer, has been attacked.

According to an email sent to its customers today Ashampoo detected an unauthorized access to one of its server systems and customer data was exposed. However it does want to reassure customers that billing information (e.g. credit card information or banking information) was definitely not taken as this data is not stored on its systems. As soon as the break-in was detected it was interrupted instantly, the security gap closed and the incident reported to the police.

Ashampoo is warning its customers of possible after effects of the theft and it cites the example of PurelyGadgets who announced that its servers were used to send bogus confirmations of orders. The emails contained a manipulated PDF document in the attachments that exploited vulnerabilities in Adobe Acrobat Reader to load malicious code on the recipients PC.

If you have further questions concerning this issue, Ashampoo’s support team (security@ashampoo.com) is at hand for help and advice. Inquiries in this context are being handled with the highest priority.