Feed aggregator

New NIST Tool Streamlines Government App Vetting

Threatpost for B2B - Wed, 04/23/2014 - 15:19
Developers who produce apps intended for use on internal networks at government agencies are getting a vetting process of their own called AppVet.

Google Adding Security Checks to Non-OAuth 2.0 Compliant Apps

Threatpost for B2B - Wed, 04/23/2014 - 14:49
Google announced it will add additional security checks to log-in attempts from applications or devices that do not support OAuth 2.0.

LibreSSL Sticks a Fork in OpenSSL

Threatpost for B2B - Wed, 04/23/2014 - 12:57
LibreSSL, a fork of OpenSSL, has already made "improvements" in OpenSSL programming practices according to OpenBSD officials.

Iowa State Hacked–To Mine Bitcoins

Threatpost for B2B - Wed, 04/23/2014 - 11:25
Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach.

OpenSSL Heartbleed Highlights Crypto Pitfalls

Threatpost for B2B - Wed, 04/23/2014 - 09:36
There is no shortage of bad advice online about crypto–or anything else, for that matter. And the recent mess involving the OpenSSL heartbleed vulnerability has brought out plenty of advice on building, implementing and repairing cryptosystems, but experts say that the fundamental truths about how to do these tasks hasn’t changed much. Cryptosystems are the […]

NIST Removes Dual EC from Draft Guidance on RNGs

Threatpost for B2B - Tue, 04/22/2014 - 17:06
NIST announced it has removed the Dual EC DRBG random number generator from a draft guidance on RNGs; the move could become official next month after a public comment period expires.

AOL Email Hacked by Spoofers to Send Spam

Threatpost for B2B - Tue, 04/22/2014 - 16:20
A slew of old AOL email accounts were hacked over the weekend to send spam to other users.

Apple Fixes Serious SSL Issue in OSX and iOS

Threatpost for B2B - Tue, 04/22/2014 - 15:47
Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections.

DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches

Threatpost for B2B - Tue, 04/22/2014 - 12:44
Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report.

DBIR: Point-of-Sale Breaches Trending Downward

Threatpost for B2B - Tue, 04/22/2014 - 00:01
The 2014 Verizon Data Breach Investigations Report reveals that point-of-sale intrusions are down, Web applications attacks are up, and DDoS and cyberespionage attacks merit watching.

CloudFlare Launches Bug Bounty Program

Threatpost for B2B - Mon, 04/21/2014 - 15:45
CloudFlare is launching a new vulnerability disclosure program in conjunction with the HackerOne bug-bounty platform.

Oracle Gives Heartbleed Update, Patches 14 Products

Threatpost for B2B - Mon, 04/21/2014 - 13:55
Amidst all of the fallout related to Heartbleed, Oracle is doing its best to keep users apprised of its efforts to patch any and all software that may be vulnerable to the OpenSSL issue.

OpenICS Decodes Control System Traffic, Builds Data Dictionaries

Threatpost for B2B - Mon, 04/21/2014 - 13:49
An ICS protocol sniffer has been released to GitHub. OpenICS builds data dictionaries, rather than signatures, from the packets it captures in order to help business leaders make security decisions.

OpenSSL Heartbleed and the Value of CRLs

Threatpost for B2B - Mon, 04/21/2014 - 12:02
One of the consequences of the drama around the OpenSSL heartbleed vulnerability is that security experts have begun taking a hard look again at the certificate revocation process and whether it actually protects users or gives them any visibility into the validity of a given certificate. In a lot of cases, the answer is probably no.

Targeted Attack Uses Heartbleed to Hijack VPN Sessions

Threatpost for B2B - Fri, 04/18/2014 - 15:33
Details of a targeted attack have emerged where hackers are using the Heartbleed OpenSSL vulnerability to hijack active VPN sessions to remotely access an enterprise.

3 Million Cards Impacted in Michaels Breach

Threatpost for B2B - Fri, 04/18/2014 - 14:33

Nearly four months after it first reported it was investigating a data breach, the arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were compromised on and off for eight months and that payment card information of nearly three million of its customers may have been impacted.

The company operates more than 1000 stores across the United States and nearly all of them were breached, although the attack has been “fully contained” by now. According to a press release yesterday however, 2.6 million cards used at Michaels’ limited point-of-sale systems between May 8, 2013 and January 27, 2014, may have been compromised in the breach.

While some stores were only targeted once, others were targeted up to four different times, some for multiple months at a time, the longest gap spanning from May to October last year.

A lengthy 45-page document (.PDF) posted by the company yesterday runs down each store that was affected – more than 1,000 are listed – and how long users were exposed at each one.

Michaels downplayed the issue by pointing out that the number of affected cards only translates to roughly seven percent of payment cards used at its stores over the course of that time period.

As the point of sale systems contained information like customers’ credit or debit card numbers and expiration dates, they are the primary bits of information considered to have been compromised in the breach. The company insists however that customers’ names, addresses or PINs do not appear to have been breached at this time.

As many as 400,000 additional cards also appear to have been implicated in a separate breach that affected one of the company’s subsidiaries, the specialty framing and art supply chain Aaron Brothers. The same malware plagued 53 different Aaron Brothers stores (.PDF) between June 26, 2013 and February 27, 2014, mostly in California but also in Arizona, Washington, Oregon, Nevada, Colorado and Texas.

The news comes four months after the Irving, Texas, company announced it was investigating a potential data breach. Since then the company says it hired two security firms who were able to work in tandem with law enforcement, banks and payment processors to look into the issue.

While officials noticed the attack and were able to contain it at Michaels in late January it appears the attack at Aaron Brothers slipped by them, as malware continued to plague systems at those stores for another month afterwards, deep into February.

While similar, the Michaels data breach pales in comparison to this past winter’s Target attack, which affected the sensitive credit card information of over 40 million users. Like the Michaels attack, the Target attack, which came to light shortly before the new year, relied on hackers infecting the retail giant’s point of sale terminals with RAM scraper malware for several weeks, from Thanksgiving to mid-December last year.

In a blog post earlier this month experts at HP pointed out that while there has been an influx of retail credit card breaches – Target, Michaels, Sally Beauty Supply, etc. – there’s still no easy way to counteract these types of attacks since there’s only so many limits to what you can do with magnetic stripe technology.

“Memory scraping has become the new trend, but there is no easy way to defend against this technique as the magnetic stripe information is decrypted at some point,” Matt Oh, a Senior Malware Researcher with HP, pointed out. “This limitation with magnetic stripe technology and the history of cat and mouse between the credit card industry and the criminals tells us that it is time to adopt a new technology.”

*Michaels image via coolmikeoh‘s Flickr photostream, Creative Commons

ICS-CERT Warns of Heartbleed Vulnerabilities in Siemens Gear

Threatpost for B2B - Fri, 04/18/2014 - 13:20

A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet.

The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on Friday said that he was able to extract a private key from a vulnerable OpenVPN server after hitting it with a large volume of requests over the course of several hours.

Now, the ICS-CERT has issued an advisory warning that several products from Siemens and one from Innominate are vulnerable to the heartbleed attack. The mGuard firmware from Innominate, versions 8.0.0 and 8.0.1 are vulnerable to the attack, but the company has issued an update that addresses the flaw.

Meanwhile, Siemens has identified a number of its products that contain the heartbleed vulnerability. The list of vulnerable products include:

  • eLAN-8.2 eLAN prior to 8.3.3 (affected when RIP is used – update available)
  • WinCC OA only V3.12 (always affected)
  • S7-1500 V1.5 (affected when HTTPS active)
  • CP1543-1 V1.1 (affected when FTPS active)
  • APE 2.0 (affected when SSL/TLS component is used in customer implementation).

“A successful “HeartBleed” exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory,” the advisory says.

By some estimates, OpenSSL is deployed on more than half of the SSL-protected Web servers worldwide, but that’s just one piece of the puzzle. The library also is used in embedded devices, industrial control systems and other systems, some of which are just coming to light now.

Syndicate content