Monday, January 27, 2014

Snowden: US uses internet surveillance for industrial espionage

The US National Security Agency (NSA) - and by extension GCHQ - engages in widespread industrial espionage, claims former NSA contractor and whistleblower Edward Snowden. The allegations were made by Snowden in a German television interview.
Snowden added that the industrial espionage was not limited to "issues of national security", but any engineering and technology that may have value to corporate America.
Citing German industrial giant Siemens as an example, he said: "If there's information at Siemens that's beneficial to US national interests - even if it doesn't have anything to do with national security - then they'll take that information nevertheless."
The latest claims will call into question the wisdom of shifting corporate applications to the cloud.
This may not just open up applications and data directly to snooping by US government organisations, but they can also make applications to the secret FISA court compelling US-headquartered or US-based companies to open up their systems to the NSA. These court orders also oblige the companies to secrecy.
Snowden also told the television company, German public broadcasting network ARD TV, that he no longer possessed any of the incriminating documents, insisting that he had handed everything over to journalists - not the Russian government, as his detractors have repeatedly claimed.
None of the documents that have been released by news outlets have gone so far as to indicate that the NSA is involved in industrial espionage, as Snowden claimed in the interview, although just one per cent of the treasure trove of documents that he handed over has been published to date.

Sunday, January 26, 2014

U.S. retailer Michaels warns of possible payment card breach

U.S. retailer Michaels warns of possible payment card breach

If confirmed, it would mark the second known data breach since 2011 at Michaels, which is preparing to sell shares in an initial public offering.
"We are concerned there may have been a data security attack on Michaels that may have affected our customers' payment card information," Michaels Chief Executive Chuck Rubin said in a statement on Saturday. "We are taking aggressive action to determine the nature and scope of the issue."
The warning comes in the wake of a massive data breach at Target Corp over the holiday shopping season, and suggests that hackers may be attacking U.S. retailers in a spree the extent of which is yet to be fully understood.
Target last month said hackers had stolen some 40 million payment card records and accessed 70 million customers' records. Luxury retailer Neiman Marcus has also disclosed a data breach that compromised data from about 1.1 million cards.
The U.S. Federal Bureau of Investigation last week warned retailers to expect more attacks and said the agency has reviewed 20 incidents over the past year that were similar to the recent breaches.
Michaels said federal investigators and an outside forensics firm were investigating to determine if there had been a breach. The company said it decided to warn the public and launch a probe into the matter after hearing that there had been an increase in fraud involving cards of customers who had shopped at its stores.
It was not immediately clear how many cards might have been affected, when an attack might have occurred, or whether the systems were currently compromised. A Michaels representative declined to elaborate on the statement.
U.S. Secret Service spokesman Edwin Donovan told Reuters his agency was investigating the matter.
Michaels, whose major investors are Blackstone Group LP and Bain Capital LP, last year filed documents with the U.S. Securities Exchange Commission to go public. The company resubmitted its IPO documents late last month following a restructuring.
In a high-profile 2011 attack, hackers replaced some 84 PIN pads on payment-card terminals at a small number of Michaels stores, resulting in the theft of about 94,000 payment card numbers, according to Department of Justice attorneys who eventually prosecuted two men charged in that case. (
Last year the Irving, Texas-based retailer settled a class-action consumer lawsuit related to the matter, without admitting to any wrongdoing.
Michaels disclosed the 2011 attack in an S-1 registration statement that it filed with the Securities and Exchange in March of last year.
"This is devastating for them because this is the second time in a row," said Gartner security analyst Avivah Litan. "The public and the credit card companies are going to slap their wrist twice as hard because they'll say they haven't learned their lesson and that they can't be trusted."
But that criticism might be tempered somewhat, given that other retailers have been breached, Litan said.
The FBI has warned retailers about cyber criminals using "memory-parsing" software, also known as "RAM scrapers." When a customer swipes a payment card at checkout, the computer grabs data from the magnetic strip and transfers it to the retailer's payment processing provider. While the data is encrypted during the process, RAM scrapers extract the information from the computer's live memory, where it briefly appears in plain text.
RAM scraping technology has been around for a long time, but its use has increased in recent years and cyber criminals have added features to make it more difficult for victims to detect the malicious software on their networks.
"They have gotten much more sophisticated," said Daniel Clemens, chief executive of the cyber security firm Packet Ninjas, whose firm investigates credit card breaches at retailers. "We are in a cycle where the incidence of these attacks will just continue to grow."
(Reporting by Jim Finkle. Additional reporting by Mark Hosenball; Editing by James Dalgleish, Gunna Dickson and Tiffany Wu)

Wednesday, January 8, 2014

Target Data Breach: There Hasn't Been Much Fraud...Yet


Target Data Breach: There Hasn't Been Much Fraud...Yet
Not so. Not yet, anyway. In fact, according to one fraud-fighting company, there’s little sign of an increase of fraudulent charges among Target breach victims. What gives?
There’s a difference between having your account number compromised and actually being hit with credit card fraud. One often leads to the other, but not always. At least, not right away.
BillGuard is a third-party service that lets consumers register their credit cards, then uses software to scan bills for fraud. Mick Weinstein, vice president of marketing at BillGuard, says 32,000 BillGuard customers were among those whose account info was stolen in the Target card heist — meaning they used their cards at the retailer during the nearly three-week stretch when hackers were siphoning off the card numbers.
Among those 32,000 accounts, about 2% were hit with fraud by the end of last week, Weinstein said — almost exactly the same fraud rate as a control sample of BillGuard customers who weren’t Target victims.
That suggests there isn’t widespread fraud hitting Target victims, at least for now. Of course, there have been anecdotal reports of fraud against Target victims; and only bank security officials really know what’s going on. But it seems a fraud outbreak hasn’t occurred. Why?
One possible explanation is bank and retailer back-end fraud systems are dialed so high that most of the attempted fraudulent transactions are being foiled, and consumers are blissfully unaware of that. However, selective rejection of transactions is very tricky, and criminals are pretty good at masking fraud to look like routine consumer transactions.
Another explanation is that banks have canceled or replaced many impacted cards, making them useless for fraud. However, banks are using a mixture of strategies to help exposed customers, so there certainly haven’t been across-the-board cancellations.
That makes sense: Reissuing cards is a hassle, and costs the banks real money. So many banks are taking a wait-and-see approach.
But so are the criminals.
Stay Vigilant
Hackers know their cache of stolen cards is under the fraud spotlight right now. There’s no mystery around the compromised account numbers — by now, every fraud-screening program has them loaded onto some kind of watch list. So bad guys with the “good” numbers likely plan to wait out the heightened attention.
“This was a very high profile breach, so the thieves — or those to whom they sell accounts in bulk — see more value in biding their time and waiting for card owner victims to lower their fraud sensitivity guard,” Weinstein said.
Credit card hackers routinely sit on stolen account numbers for months — or even a year or two — before attempting fraud. Eventually, banks’ and retailers’ focus on the Target cards will wane, as will the paranoia that consumers feel in the wake of the hack announcement. After all, there will be other credit card heists, and other incidents that require attention. Criminals with millions of stolen account numbers can afford to wait.
What does that mean for you? Now is no time to declare victory or end vigilance. Use your bank’s website to scan for unexpected charges at least once a week for the next several months. It only takes a few moments. And don’t forget — another common credit card hacker technique is to sneak small charges, often under $10, past banks and consumers. Hitting 10,000 cards with a $10 fraud is easier than hitting 10 cards with a $10,000 fraud. Your bank could very well miss such low-dollar fraud, and if you miss it, too, you’ll pay for it.
(Ed. Note: A sudden drop in your credit scores can be a sign of identity theft. To monitor your credit scores in the long term, you can use a free tool like the Credit Report Card to check two of your credit scores each month.)

Thursday, January 2, 2014

The growing hacking threat to e-commerce websites, part 1

by Ilia Kolochenko - CEO at High-Tech Bridge SA 
17 December 2013.
Recently, a friend of mine, owner of a small online web store, had his website compromised. He asked me lots of questions about why this had happen (he didn’t really have much sensitive information on his website), and how to avoid such security incidents in the future.

Many website owners don’t even realize that they were compromised. The majority of the attacks remain undetected and unperceived today because of the high level of sophistication of these attacks, as well as the low level of security awareness among the victims. This is why I decided to write a short and simple piece about web application security to help small online merchants secure their websites and avoid security breaches and data leakages.

Why do web security incidents happen? Targeted, semi-targeted and untargeted web attacks

I’d highlight three main types of attacks: targeted attacks, semi-targeted and untargeted attacks. The concept of a targeted attack is very simple – the final target of hackers is your website (or any other technical infrastructure) and nothing else. In the sector of SMB, e-commerce targeted attacks are fortunately quite rare, as they are quite time-consuming, complex and expensive to conduct, while the outcomes from a targeted attack against a small e-commerce website can hardly cover its cost. Hackers are good economists, and will rarely spend more money on the attack than the benefit they can get from it.

 However, don’t get excited too fast. Many website owners have a false feeling of safety being convinced that, due to the small size of their business [website] or due to an absence of known enemies, nobody will ever try to hack their website. Let’s have a look on semi-targeted attacks to demonstrate that this presumption is wrong.

A semi-targeted attack is when hackers target you (quite often among a dozen other resources), but you are not their final target. To become the victim of a semi-targeted attack it’s enough that your web server is hosted in the same subnet of a large datacenter where that large company’s server [the final target] is located as well. I am not even speaking about shared web hostings, where one web server has hundreds of different websites, and quite often it’s enough to compromise just one to get access to the others. Hackers always follow the most efficient way: compromising the weakest link in the security perimeter, and your website or web server may perfectly fall into the weakest link category in many cases. Sufficient that a person hunted by the hackers has an account on your website, shop, forum or blog: for hackers it’s much easier to compromise your website and try to reuse his or her password on other resources rather than attacking front-end of Gmail or PayPal to get access to his or her account there [the final target].
Don’t think that if your users’ passwords are encrypted this will demotivate hackers, as the majority of hashing algorithms used in web applications are not strong enough against bruteforce or dictionary attacks; a good hacker may simply backdoor your login form and collect all user credentials in plaintext. In the most unlucky case, you may simply become an accidental victim of hacktivists, even if you are far away from politics, big corporations and banking institutions.

It’s enough that your web resource belongs to a specific country or just mentions products of a company targeted by the hacktivists, and they may come to vandalize your website, expose your customers or delete your database and backups. Why? Simply because your website was one of the most unprotected from their “to-attack” list. Unfortunately, it’s much easier to compromise a hundred of small websites to protest and create a media buzz, rather than deface Gazprom or NSA main websites. The above-mentioned examples are semi-targeted attacks, when you and your website are selected by hackers on purpose but just to facilitate their further targeted attack on bigger resources.

Now, let’s speak about untargeted attacks, which are the most common today in the SMB sector. Cybercrime is a very big and fast-growing industry. Each byte of information has its price on the black and grey markets. Of course, one customer record from an online shop will hardly bring more than one pence, but a hundred records is already £1 (or even more), while a thousand records easily gives at least £10 (or much more, depending on the records’ “quality” and “completeness”).

How much will it cost to compromise Amazon? Several million GBP, moreover you will need time, excellent technical skills and a bit of luck. Not many Black Hats have the necessary skills, time and resources to launch attacks against the biggest players of the e-commerce industry, therefore they prefer to compromise a dozen small and medium online shops per day and get their money on the “every little helps” principle.

 How will they find your website in the Internet? Easily - Google is the best friend of hackers. Robots, hidden behind millions of proxies, are crawling World Wide Web in the 24/7/365 mode to find outdated versions of web application software or to bruteforce default and weak passwords.

In untargeted attacks, hackers make money on very large quantity, not quality. I will not even mention all the goals the hackers may have for hacking your website as, besides banal theft of your databases, they are infecting your website with malware to conduct drive-by attacks against your website visitors and turning them into zombies to perform DDoS attacks, up to creation of hidden sections with illicit content - for which you may be held responsible.

Web applications are one of the easiest and most popular attack vectors used by hackers today. During the last three years High-Tech Bridge Security Research Lab has identified almost one thousand vulnerabilities in commercial and open-source web applications installed on tens of millions of active websites.
Unfortunately, hackers have much bigger resources and predictable ROI (Return On Investment) that allow them to achieve much more impressive results. The number of web security incidents permanently grows, while quality of web application coding and user awareness about security doesn’t follow fast enough. Remember that Black Hats may always select your website as a target, moreover one day they will do it, so it’s only a question of time. After a brief overview of attackers’ motivation in this first part, we will have a look on the most common web hacking techniques, countermeasures and investigation process in the second part.