New submitter alir1272 quotes a report from Krebs On Security: Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after Krebs On Security first notified the clothier about a possible intrusion at stores nationwide. "The company emphasized that this breach did not impact purchases made at the company's online store eddiebauer.com," reports Krebs On Security.
An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."
blottsie writes: The NSA and FBI are both expected to investigate the leak of NSA-linked cyberweapons this week by an entity calling itself the Shadow Brokers, experts with knowledge of the process tell the Daily Dot. However, multiple experts say any retaliation by the U.S. will likely remain secret to keep the tactical advantage. Meanwhile, Motherboard reports that some former NSA staffers believe the leak is the work of a "rogue NSA insider." "First, the incident will be investigated by the National Security Agency as it tracks down exactly what went so wrong that top-secret offensive code and exploits ended up stolen and published for the world to see," reports Daily Dot. "An FBI counterintelligence investigation will likely follow, according to experts with knowledge of the process. [...] Following the investigation, the NSA and other entities within the United States government will have to decide on a response." The response will depend on a lot of things, such as whether or not an insider at the NSA is responsible for the breach -- a theory that is backed by a former NSA staffer and other experts. "The process is called an IGL: Intelligence Gain/Loss," reports Daily Dot. "Authorities suss out a pro and con list for various reactions, including directly and publicly blaming another country. [Chris Finan, a former director of cybersecurity legislation in the Obama administration and now CEO of the security firm Manifold Technology, said:] 'Some people think about responding in kind: A U.S. cyberattack. Doing that gives up the asymmetric response advantage you have in cyberspace.' Finan urged authorities to look at all tools, including economic sanctions against individuals, companies, groups, governments, or diplomatic constraints, to send a message through money rather than possibly burning a cyberwar advantage. Exactly if and how the U.S. responds to the Shadow Brokers incident will depend on the source of the attack. Attribution in cyberwar is tricky or even impossible much of the time. It quickly becomes a highly politicized process ripe with anonymous sources and little solid fact."
An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.
An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
Patrick O'Neill quotes a report from The Daily Dot: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks. "Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible." The report adds: "An unknown group of hackers dubbed the Shadow Brokers posted cyberweapons stolen from the so-called Equation Group, the National Security Agency-linked outfit known as 'the most advanced' group of cyberwarriors in the internet's history. One of the cyberweapons posted was an exploit called ExtraBacon that can be used to attack Cisco Adaptive Security Appliance (ASA) software designed to protect corporate networks and data centers. 'ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,' Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot. 'If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.' ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."
An anonymous reader writes: Chip maker Intel has entered an unlikely partnership with British semiconductor firm ARM in an effort to boost opportunities for its foundry business. The licensing agreement, which was confirmed at the Intel Development Forum in San Francisco, means that from 2017 Intel's Custom Foundry will manufacture ARM chips -- used by smartphone giants such as Apple, Qualcomm and Samsung. On the announcement of its latest earnings report, Intel was clear to highlight a shift in focus, away from the traditional PC market, to emerging areas such as the Internet of Things and mobile -- a sector dominated by one-time arch rival ARM. It seems that Intel has now decided to surrender to the latter's prominence in the field.
tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.
An anonymous reader quotes a report from Ars Technica: Two former employees of the National Security Agency -- including exiled whistleblower Edward Snowden -- are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement. Both Snowden and Dave Aitel, an offensive security expert who spent six years as an NSA security scientist, are speculating that Monday's leak by a group calling itself Shadow Brokers is in response to growing tensions between the U.S. and Russia over the hacks on the Democratic groups. As this post was being prepared, researchers with Kaspersky Lab confirmed that the tools belong to Equation Group, one of the most sophisticated hacking groups they've ever investigated. "Why did they do it?" Snowden wrote in a series of tweets early Tuesday morning. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack." In a brief post of his own, Aitel agreed that Russia is the most likely suspect behind both the Democratic hacks and the leaking of the NSA spying tools. He also said the NSA data was likely obtained by someone with physical access to an NSA secure area who managed to walk out with a USB stick loaded with secrets.
msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.
Reader DaveyJJ writes: CBC is reporting that the Canadian Association of Chiefs of Police, has passed a resolution calling for a legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities. The chiefs are recommending new legislation that would force people to hand over their electronic passwords with a judge's consent. RCMP Assistant Commissioner Joe Oliver is using the usual scare tactics "child-molesters and mobsters live in the 'dark web'" in his statement today to drum up public support in his poorly rationalized privacy-stripping recommendation. A few years ago, Canada's Supreme Court ruled that police must have a judge's order to request subscriber and customer information from ISPs, banks and others who have online data about Canadians. I guess that ruling isn't sitting too well with law enforcement and Canada's domestic spy agencies.
An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.
hackingbear quotes a report from The Verge: China's quantum network could soon span two continents, thanks to a satellite launched earlier today. Launched at 1:40pm ET, the Quantum Science Satellite is designed to distribute quantum-encrypted keys between relay stations in China and Europe. When working as planned, the result could enable unprecedented levels of security between parties on different continents. China's new satellite would put that same fiber-based quantum communication system to work over the air, utilizing high-speed coherent lasers to connect with base stations on two different continents. The experimental satellite's payload also includes controllers and emitters related to quantum entanglement. The satellite will be the first device of its kind if the quantum equipment works as planned. According to the Wall Street Journal, the project was first proposed to the European Space Agency in 2001 but was unable to gain funding.
An anonymous reader writes from a report via Techdirt: The Democratic National Committee has created a "cybersecurity advisory board" to improve its cybersecurity and to "prevent future attacks." Politico reports: "'To prevent future attacks and ensure that the DNC's cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,' interim DNC Chairwoman Donna Brazile wrote in a memo. 'The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces -- today and in the future.' Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Chopra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor." What's surprising is that none of these members are cybersecurity experts. Techdirt reports: "If the goal of the board was to advise on cybersecurity policy, then the makeup of it is at least slightly more understandable, but that's not goal. It's to actually improve the cybersecurity of the DNC. Even if the goal were just policy, having someone with actual technology experience with cybersecurity would be sensible."
Zack Whittaker, writing for ZDNet: As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability. Security firm Lookout said in a blog post on Monday that the flaw affects all phones and tablets that are running Android 4.4 KitKat and later, which comes with the affected Linux kernel 3.6 or newer. According to recent statistics, the number of devices affected might run past 1.4 billion phones and tablets -- including devices running the Android Nougat developer preview. Windows and Macs are not affected by the vulnerability. The flaw, disclosed at the Usenix security conference last week, is complicated and difficult to exploit. If an attacker can pull off an exploit, they could inject malicious code into unencrypted web traffic from "anywhere". However, the source and destination IP address would need to be known in order to intercept the traffic, adding to the complexity of carrying out a successful attack.The exploitability isn't easy, though.
An anonymous reader writes from InformationWeek: In a wide-ranging interview with The Washington Post, Apple's CEO Tim Cook talks iPhones, AI, privacy, civil rights, missteps, China, taxes, and Steve Jobs -- all without addressing rumors about the company's Project Titan electric car. One of the biggest concerns Tim Cook has is with user privacy. Earlier this year, Apple was in the news for refusing a request from the U.S. Department of Justice to unlock a suspected terrorist's iPhone because Apple argued it would affect millions of other iPhones, it was unconstitutional, and that it would weaken security for everyone. Cook told the Washington Post: "The lightbulb went off, and it became clear what was right: Could we create a tool to unlock the phone? After a few days, we had determined yes, we could. Then the question was, ethically, should we? We thought, you know, that depends on whether we could contain it or not. Other people were involved in this, too -- deep security experts and so forth, and it was apparent from those discussions that we couldn't be assured. The risk of what happens if it got out, could be incredibly terrible for public safety." Cook suggest that customers rely on companies like Apple to set up privacy and security protections for them. "In this case, it was unbelievably uncomfortable and not something that we wished for, wanted -- we didn't even think it was right. Honestly? I was shocked that [the FBI] would even ask for this," explained Cook. "That was the thing that was so disappointing that I think everybody lost. There are 200-plus other countries in the world. Zero of them had ever asked [Apple to do] this." Privacy is a right to be protected, believes Cook: "In my point of view, [privacy] is a civil liberty that our Founding Fathers thought of a long time ago and concluded it was an essential part of what it was to be an American. Sort of on the level, if you will, with freedom of speech, freedom of the press."
Reader Trailrunner7 writes: New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on its iMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim's past iMessage texts. The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users' messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.The team discovered that Apple doesn't rotate encryption keys at regular intervals (most encryption protocols such as OTR and Signal do). This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. Apple was notified of the issue as early as November 2015 and it rolled out a patch for the iMessage protocol in iOS 9.3 and OS X 10.11.4.
Reader blottsie writes: A group of hackers identifying themselves as theShadow Brokers claims to have hacked the NSA's Equation Group, a team of American hackers that have been described as both "omnipotent" and "the most advanced" threat cyberspace has ever seen. On the Shadow Brokers' website, the group has shared a sample of data that some cybersecurity experts say lends credibility to the breach. The the hackers' asking price for what they claim is a cache of NSA-built cyberweapons. Motherboard's take on this is here.
The European Union is planning to extend telecom rules covering security and confidentiality of communications to web services such as Microsoft's Skype and Facebook's WhatsApp which could restrict how they use encryption, reports Reuters. From the report: The rules currently only apply to telecoms providers such as Vodafone and Orange. According to an internal European Commission document seen by Reuters, the EU executive wants to extend some of the rules to web companies offering calls and messages over the Internet. Telecoms companies have long complained that web groups such as Alphabet Inc's Google, Microsoft and Facebook are more lightly regulated despite offering similar services and have called for the EU's telecoms-specific rules to be repealed. They have also said that companies such as Google and Facebook can make money from the use of customer data. Under the existing "ePrivacy Directive", telecoms operators have to protect users' communications and ensure the security of their networks and may not keep customers' location and traffic data.Reuters adds that the exact confidentiality obligations for web firms would still have to be defined.
A new report by Television New Zealand in collaboration with The Intercept, based on leaks of former U.S. National Security Agency worker Edward Snowden has for the first time named a target of the NSA's controversial Prism program. The target was a middle-aged civil servant and pro-democracy activist named Tony Fullman. Fullman, who is originally from Fiji but has lived in New Zealand for decades, is an advocate for democracy in Fiji and a critic of Fijian prime minister Frank Bainimarama, who took power in a 2006 coup. From a Fortune report: According to The Intercept, the NSA in 2012 monitored Fullman's communications through the Prism program and passed on information to the New Zealand intelligence services. Around the same time, the New Zealand authorities raided Fullman's home and revoked his passport. The New Zealand intelligence services were not themselves allowed to spy on Fullman, who was a New Zealand citizen. However, as Snowden has repeatedly described, the agencies of many Anglophone countries spy on each other's behalf, in order to bypass their national legal restrictions. Fullman suggested in the article that people in the group may well have said violent things about Bainimarama, but this was just venting, not a plot. According to the report, they never suspected someone was listening into their communications. The NSA was said to be helping by analyzing Fullman's Facebook and Gmail activities. The 190 pages of intercepted documentation seen by The Intercept apparently didn't reveal evidence of a plot.