Top 10 security breaches of 2014

ExpressVNP

That’s right folks, it’s time. Time for a roundup of the year’s worst IT security breaches and how they’ve impacted the tech market at large. And away we go, with:

1) University of Maryland

Let’s start “small”. In February, the University of Maryland suffered a data breach that put personally identifiable information (PII) of nearly 310,000 people at risk. This information included names, dates of birth, Social Security numbers and University ID numbers. According to Brian Voss, U of M’s CIO, the hackers had a “very significant understanding” of the school’s network security and “picked through several locks to get the data.”

2) Oregon State Department

Looking for work at state offices in Oregon this year? Then your PII may have been stolen. In October, state officials discovered that hackers had breached the WorkSource Oregon Management Information System and rifled through more than 850,000 records. More worrisome? The state department only learned about the breach thanks to an anonymous tip.

3) US Postal Service

Through rain and snow and dark of night — and apparently personal data. As noted by Information Week, the US Postal Service was hacked “sometime” during 2014. USPS itself did not detect the breach, and it was only the intervention of US law enforcement officials that brought the problem to light in September. Even then, it took until mid-November to neutralize the threat.

All told, some 800,000 pieces of USPS employee information and details on 2.9 million customers were compromised. There’s some speculation this was an overseas attack, and the postal service is now undergoing a security overhaul.

4) Snapchat

Photo-sharing app Snapchat has been breached several times this year, but the first and most damaging attack came in January, when 4.6 million users had their usernames and phone numbers posted on a public website. The hack came after repeated warnings that Snapchat’s system wasn’t secure, and shortly after the hack a group of white hat security experts found the code that allowed this kind of breach. The problem? Too little, too late.

5) EBay

In March, online auction site eBay was the victim of a network security breach. The company initially believed user data was safe following the breach, according to BGR, but soon discovered that the emails addresses and passwords for all 145 million eBay members was breached. Unfortunately, the company was slow to notify users or require password resets, prompting backlash for their response. The lesson here? If you think there’s a problem, there’s absolutely a problem.

6) Dairy Queen

The first of three Backoff POS-related breaches on our list, Dairy Queen was the “smallest” with an disclosed number of customers at risk after 400 stores were compromised. According to eSecurity Planet, the breach was first uncovered back in August, but following the common trend DQ maintained that no information had been stolen. As it turned out, however, everything from customer names to payment card numbers and expiration dates were grabbed during the breach.

7) Home Depot

Backoff malware case #2: The Home Depot’s network was compromised in September 2014 by this point-of-sale problem. Fifty-six million customers had their credit and debit card numbers stolen during this attack. What’s notable here isn’t so much the breach itself but the fact that Backoff was old news — after Target, companies supposedly learned their lesson and found a better way to secure POS systems.

8) JP Morgan Chase

A big bank slips in here before Target with 76 million individuals and 7 million small businesses affected. How hackers got in and who they were isn’t known, and JP Morgan Chase says that financial information wasn’t taken, just addresses, names and phone numbers. That’s disturbing enough, but what’s more worrisome is the fact that JP Morgan Chase was well-known as having excellent security controls in place.

9) Target

It happened in January 2014, but still comes in at number two on the list because 110 million people had their PII and payment card information (PCI) compromised in this attack. This was the first known appearance of Backoff and as such went undetected for an extended period of time, quietly collecting data from POS machines, many of which weren’t tied to the company’s network security backbone. The takeaway? Any device on a network is vulnerable.

10) Sony

Last but certainly not least, Sony. While the hack didn’t grab millions of Social Security numbers, it resulted in the premature release of five big-ticket movies and a deep dive into the company’s corporate information including employee salaries, dates of birth, and details about the company’s layoff process. What’s more, the hack used a technique able to override existing hard drive information and compromise network function unless drives are physically repaired. Scary stuff.

So there you have it: the 10 biggest, baddest breaches of 2014 — let’s hope 2015 is a year of lessons learned.

ExpressVNP

Kaspersky: Macs overripe for malware threats

ExpressVNP

Security firm Kaspersky recently released its Security Bulletin for 2014, detailing critical cybersecurity statistics gathered in the last year. Among their findings? That Apple Macintosh computers are quickly becoming less secure.

In 2014, the average Mac user encountered nine cyber threats — doesn’t sound like much until you consider that the company detected 200 more pieces of Mac malware than in 2013 and blocked more than 3.5 million infection attempts on Mac OS devices. Are these Apples finally past their prime?

Ad Nauseam

According to The Telegraph, almost half of the top 20 threats to Macs came in the form of AdWare, which can add links to browser bookmarks, change default search engines and force devices to display contextual advertising. By and large, AdWare is harmless, but is nonetheless malware and opens the door for less benign threats. Among the most interesting: a malware program that took screenshots every minute, one designed to steal bitcoins, a backdoor that offers remote system access and access to contact lists and a piece of malware designed to also infect any connected iOS devices.

David Emm of Kaspersky Lab says that “the myth of Mac OS X being invulnerable no longer stands true, and as cyber criminals continue to evolve their attack methods, users should also evolve by taking the necessary steps to bolster security on their Mac devices.” In other words, the shine is off the Apple, and while the first forays by cybercriminals into the Mac landscape are mostly focused on advertising, it won’t take long for more sophisticated attacks to breach the OS X perimeter.

You’ve Been Slothed

Consider a recent example of Apple security breached for more…hilarious purposes. As noted by Consumer Affairs, Apple users in the San Fransicso area have been the victims of an “AirSloth” attack: pictures of a sloth wearing a spacesuit were pushed to their devices via the AirDrop feature, which provides a *** way to exchange files among Mac and iOS devices located in close physical proximity.

Josh Lowensohn of the Verge eventually took credit for the attack, saying that while riding the train to work and playing with his Apple device, he noticed that many his fellow passengers had a feature turned on in AirDrop that allowed them to receive files from anyone. The setting was likely an oversight from users turning on AirDrop but not configuring its permissions, and allowed Lowensohn to sloth them.

It’s a funny little joke and a funny little picture, and users can still decline the file even if their AirDrop is wide open. But there’s a serious point worth ***: what if Lowensohn had been sending pictures that weren’t G-rated, or there was a line of malicious code buried in his hilarious sloth image? He also points out another easy way to hack Macs and iDevices: set up a wireless hotspot and change your device name. In the coffeeshop? Give it a popular brand name. On a University campus? Name it after the institution or the nearest building. Once users connect to your network, you have access to everything.

Attacks as a Service

So far, it seems like most Mac problems come from users: if they download AdWare or leave AirDrop on, they have only themselves to blame, right?

According to Tech News World, however, 2015 will see the spread of “attacks as a service,” where would-be hackers head to a website, choose what they want to steal and how, then pay a fee and get an all-in-one software package. A survey by security company SentinelOne found that attacks on OS X have begun to rise, and predicts that Apples will be increasingly targeted by these attacks because more and more businesses are using Macs and iOS devices to store critical data, *** them valuable targets. What’s more, Apple’s reputation as a “safe” OS has led to a lack of dedicated security measures — claiming the door is locked only works so long as no one tries to kick it down.

Bottom line? Macs are under threat as the specter of Apple malware grows. Both users and the company have their work cut out if they want to stay safe in 2015.

ExpressVNP

Snowden files: How NSA tapped 71% of the world’s phone networks with auroragold

ExpressVNP

An ambitious NSA operation dubbed Auroragold aims to tap every cellphone network in the world, according to The Intercept.

The mobile tapping system, detailed in documents leaked by Edward Snowden, successfully cracked a total of 701 out of an estimated 985 cellular networks around the world, details of which can be found in a NSA presentation.

The documents reveal how the NSA’s aims were achieved via snooping on key telecoms workers’ private communications in order to acquire technical information as well as encryption keys which, together, opened up access to mobile calls.

In total, the NSA infiltrated somewhere between 363 and 1,354 staff computers between November 2011 and April 2012.

The documents supplied by Snowden mention certain operators within lands where the Internet is highly regulated, but, beyond that, nothing is known about the identities of the targeted companies.

The NSA presentation does however include a map (page 24/26) which reveals how the agency had gained network access to more than 70% of the global network. According to the legend, the agency has achieved good coverage in much of Africa, Asia and Europe, including Russia.

The NSA operations collected information from “IR.21” documents used by GSM Association members to identify security weaknesses as well as provide details about the encryption methods employed by mobile operators. With this information to hand, the agency was able to circumvent encrypted communications and snoop on international conversations, the documents show.

The GSM Association – a UK-based trade group – became a top target for the NSA due to its associations with influential tech firms including Facebook, Microsoft, Sony and Samsung.

The fact that a trade organisation which represents several hundred firms across 220 countries was targeted is especially interesting considering how, just 3 months ago, another US agency – the National Institute for Standards and Technology (NIST) – gave it $800,000 of funding to tackle “security and privacy” issues surrounding mobile devices.

Commenting on the details revealed by The Intercept, GSMA spokeswoman Claire Cranton said the group’s lawyers were examining the documents and that “if there is something there that is illegal then they will take it up with the police”.

Since Snowden’s first leaks in June 2013 it has become clear that the NSA’s covert snooping on web-based and more traditional forms of communications is widespread.

Previous documents leaked by the whistleblower have shown the agency’s interest in hacking into the networks of foreign firms as well as previous efforts at subversion from within, such as with RSA which was reportedly paid $10m to make a less than entirely secure form of cryptography  (the Dual EC DRBG algorithm) its de facto standard. Since Snowden first leaked the claims about RSA it has denied the allegations and ceased using Dual EC DRBG in its products.

In response to the Auroragold claims the NSA released a statement in which it said “NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements – regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communication”. The statement went on to claim that the agency continues to see terrorists and other criminals employing standard technology for communication and thus it was imperative that it continue to identify and report on the same.

ExpressVNP

DeathRing: Some Android phones come pre-loaded with malware

ExpressVNP

If you are looking to buy a new Android smartphone you are probably already aware that it is a wise idea to install an antivirus app as quickly as possible to protect your new device from malware.

What you may not realise, however, is that your new smartphone may already have malicious code on it out of the box.

New research from mobile security vendor Lookout has highlighted how that may be a very real problem as the company’s researchers have discovered a Trojan called DeathRing which comes pre-installed on some devices.

The Asian malware, which masquerades as a ringtone app, has been found on low-end handsets that are especially popular in Asian and African nations. According to Lookout, the affected devices include:

  • Counterfeit Samsung GS4/Note II
  • Various TECNO devices
  • Gionee Gpad G1
  • Gionee GN708W
  • Gionee GN800
  • Polytron Rocket S2350
  • Hi-Tech Amaze Tab
  • Karbonn TA-FONE A34/A37
  • Jiayu G4S – Galaxy S4 Clone
  • Haier H7
  • No manufacturer specified i9502+ Samsung Clone

The Trojan is initially dormant but is easily activated – either through the user switching the device on and off five times or by turning the screen on and off a total of fifty times.

Once DeathRing is up and running it can download SMS and WAP content from its command and control centre, giving it the ability to phish personal information from the victim or download additional malware in the form of APKs:

“For example, DeathRing might use SMS content to phish victim’s personal information by fake text messages requesting the desired data. It may also use WAP, or browser, content to prompt victims to download further APKs — concerning given that the malware authors could be tricking people into downloading further malware that extends the adversary’s reach into the victim’s device and data.”

As DeathRing is installed within the smartphone’s firmware there is no way to remove it and even installing an antivirus app will prove to be a fruitless endeavour – the only way for a user to avoid the Trojan is to not buy the device in the first place.

So how can you protect yourself from such a nasty piece of malware?

The most obvious answer is to only buy a smartphone from well-known vendors, but even people in the more developed countries may struggle to afford the models they desire right now. So, with that in mind, the best advice would be to install a malware-detecting app on any new device as soon as you buy it – even if it cannot protect you from DeathRing it can alert you to its presence which should be reason enough for the retailer to accept a return on the device.

It would also be advisable to keep tabs on your phone bill for any unexpected charges and it may also be a good idea to look at the amount of data the device is consuming as this may highlight unexpected connections and downloads.

It would also be advisable to avoid inputting sensitive information on any device unless you are one hundred percent it is secure – so until you have verified the integrity of your new smartphone think twice before using it for online shopping, banking or inputting personal data into websites you visit.

ExpressVNP

Mix Chewbacca with Dexter, Get LusyPOS

ExpressVNP

Darknet markets have been found selling LusyPOS, a new type of point-of-sale malware which is similar in nature to other RAM scrapers utilized in some of the highest profile data breaches of 2014.

Similar malware was used in the Target breach last year which saw the compromise of 40 million payment cards, 70 million records and hundreds of millions of dollars in associated costs.

More recently, the Home Depot breach saw the compromise of 56 million cards as well as 53 million email addresses in a similar attack. The company faces multiple lawsuits in the US and Canada as a result.

Would-be cybercriminals, and just about anyone else with $2,000 in their back pocket, can pick the malware up from underground carding websites today, no questions asked.

LusyPOS, which at 4MB is bigger than other variants, was uncovered by CTBS reverse engineers earlier this month. Nick Hoffman and Jeremy Humble analyzed “lusypos.exe” after it appeared on VirusTotal and learned that it had many similarities with two other notorious POS malware families – Chewbacca and Dexter.

The pair noted that the new variant’s code contained strings for command and control, whitelist processing and registry key persistence that suggest it “may have taken a cue from dexter.” It was also noted that it’s RAM scraping code is similar to that found in other similar malware and the method of verifying that the scraped data is valid credit card track information (the Luhn algorithm, the standard means of verifying credit card numbers).

Like Chewbacca, LusyPOS also uses the TOR network which offers the promise of anonymity to the controllers who can use it to access information via a remote server.

Technically speaking, there is no good reason for a POS machine to talk to TOR, and nor should it be allowed to. In terms of Payment Card Industry Data Security Standard (PCI DSS) compliance, such communication should be expressly prohibited with Hoffman saying “most PCI audits will attempt to lock this sort of activity down but there seem to be devils in the implementation that allow malware like this to be successful”. Therefore such activity is a good means of detecting the presence of POS malware on a system – if suspicious domain names, such as those with a .onion TLD, are spotted they should be blocked immediately.

When LusyPOS was initially submitted to VirusTotal on 30 November it was only detected by 7 of its 55 AV engines (and two of those flagged it only because of its use of TOR). Now, two weeks later, it is still only detected by 27 of them.

Hoffman and humble concluded that “This is just a scratch in the surface of a new malware family. We’ll be curious to watch it evolve over the next couple years and track its progress”.

ExpressVNP

DuckDuckGo Internet privacy review

ExpressVNP

If you need to find something of interest, your first port of call will be a search engine, of which there are a great many. Beyond the big boys – Google, Bing and Yahoo – lies a plethora of smaller engines – some of which are specialized – and many more that are just struggling for attention.

One of the smaller engines that has managed to gain some traction over the last few years is DuckDuckGo which markets itself as a search engine that doesn’t track its users.

Given the heightened awareness of personal online privacy generated by Edward Snowden’s leaks about government surveillance, that sounds like an incredibly enticing selling point.

So what exactly is DuckDuckGo?

The company was started on 29 October 2007 by Gabriel Weinberg who had recently sold The Names Database for $10m. In those pre-Penguin, pre-Panda days, he found Google search results less than inspiring, filled as they were with spam and over-optimized thin sites which seemed to offer little value to their visitors. The answer to his own search queries, he found, was to visit crowd sourced sites such as Wikipedia, and via word of mouth.

Together, these factors convinced him to start his own alternative. On 29 February 2008 Weinberg incorporated DuckDuckGo (the name comes from the traditional children’s game duck, duck, goose) and launched the search engine in September of the same year.

Six years ago surveillance wasn’t a hot topic of course so it is no surprise to learn that Weinberg’s initial motivation was to produce an engine that simply returned better results. However, beyond his dislike of spam, he also noticed how advertising tended to follow people around the web. Combined with a conversation he saw on Reddit, Weinberg decided to make a search engine that would not collect data and track its users and DuckDuckGo made the decision not to collect or share any user information from 22 January 2009.

But is the search engine any good I hear you ask.

That’s a good question and the answer largely depends on why you would consider using it.

If your primary motivation is to find an alternative to the big boys that returns great and relevant results then what you get could very well be a mixed bag. When searching for ‘mainstream’ topics, such as “BBC news” or “Edward Snowden”, for example, the returned results are fairly good and point to the most obvious sources. If, however, you are typing more specialized search queries into the engine then you will be served by results that are less relevant and reminiscent of the Google of a few years ago (we have seen a big improvement over the last year or two though).

Other areas that need further development are photo and video searches. For photos I found that looking for a named celebrity certainly produced accurate results but most of the images were very old and often not particularly focused upon any additional parameters applied to the search.

For video the results were generally more appealing but, interestingly, most were found on YouTube and, as DuckDuckGo says, “YouTube (owned by Google) does not let you watch videos anonymously. As such, watching YouTube videos here will be tracked by YouTube/Google,” which somewhat negates the whole point of using it for such searches in the first place.

On the other hand, if privacy and ad avoidance are your main concerns, DuckDuckGo certainly does provide a worthwhile service.

Considering how the engine does not use personal data and search history to influence future results, the end result is on a par with the bigger engines for the more common search terms. One area I especially like is the lack of location centric search results – it’s never been easier to search for foreign results – try doing that on Google.de if you aren’t resident in Germany or using a VPN.

The other major plus of course is the distinct lack of advertising – looking at a page of search results without seeing adverts completely filling the ‘above the fold’ portion of the screen is a very refreshing change indeed in this day and age.

ExpressVNP

Literally malware? The figurative explosion of Uber’s app

ExpressVNP

Last week, The Hacker News posted an article about the mobile app offered by ride-sharing service Uber — turns out a security researcher from Arizona reverse engineered the Android app to see what kind of data it was collecting, and based on his findings dubbed it “literally malware.” Now, the Web is blowing up with discussion over the app itself, mobile permissions, and what it really means to be malware.

They’re Looking for What?

App permissions are already a bone of contention among users, especially when it comes to Android devices. Google often compels developers to include very broad permission requests for even *** functions, giving the impression that much more data is being accessed than is required. In Uber’s case, a Ycombinator thread found that it could potentially access a host of information, including:

  • app activity
  • battery life
  • device info including manufacturer, model, OS and SDK code
  • SMS data
  • WiFi Connection data
  • Contacts data
  • GPS data
  • Malware information, such as checks for Heartbleed vulnerabilities

Much of this data makes sense: GPS and WiFi connection data can be used to determine your location when ordering a ride, while contract data lets you split fares or invite friends to use the app. Even device information isn’t totally out of line: Uber says they use this data to assign a unique user ID.

Other information, however, is more troublesome. Why would Uber care about your SMS history, malware information or battery life? That seems a bit intrusive, and if this data really is being sent back to the company, well, it’s not hard to see why some are calling the app “malware”.

Not So Sinister?

But it’s not that ***. The Next Web did some digging, and found that while Uber was sending back all the information it needed to get users a ride, the app wasn’t grabbing SMS or other data for collection. Uber said as much in a statement to Cult of Mac, and also pointed out that other services often require the same kind of permissions.

It’s also worth mentioning that in order to use the Uber app, users must first download it and then agree to the permissions as presented. While the company certainly seems interested in getting its hands on everything that could enhance the “user experience,” it doesn’t look like their aim is to steal personal information — what would be the point? Users would quickly find out about any impropriety and quickly spread the word. As noted by The Next Web, the permissions here may not be the issue: it may be the way they’re presented to users, as if all their data is up for grabs.

Familiar Territory

Uber isn’t the first app to have its permissions questioned. In the UK, government officials are calling for an inquiry about Facebook’s mobile app and the possibility that it can take pictures or record videos without permission. USA Today, meanwhile, points out that many free apps ask for a host of permissions they don’t need — for example, virtual pet and dictionary apps want access to GPS data and microphones.

So what’s the final verdict? Is Uber’s app “literally malware”? Sort of. While it can potentially access device information that goes well beyond its purview as a ride-sharing app, there’s no evidence of malicious action. Uber has been under fire recently for a host of other issues, so it’s no surprise that their app is under greater scrutiny — what’s really uncovered here isn’t Uber’s big secret, but the fact that Android apps in general ask for much greater reach than they actually need. Some of this is on Google, while some of it comes from app developers themselves.

No matter the source, however, the fact remains that it’s on users to read what they’re agreeing to and then decide if the risk is worth the reward. And this is where the Uber malware construct falls apart: users are giving the app permission to access their device at large. With permission comes tacit approval; if you want privacy, always read carefully before hitting “agree.”

ExpressVNP