Information Security News
On Tuesday, a District Court judge in Minnesota ruled [PDF] that a group of banks can proceed to sue Target for negligence in the December 2013 breach that resulted in the theft of 40 million consumer credit card numbers as well as personal information on 70 million customers. The banks alleged that Target had “failed to heed warning signs” that would have stymied the banks' losses.
The breach occurred between mid-November and mid-December in 2013, after hackers placed malware on Target POS systems which made it possible for them to steal credit card numbers as consumers swiped. The vast number of people affected by the breach made Target's hack the most notorious, but subsequent reports revealed that Target was only one of many big-name retail stores that had credit card data stolen—Neiman Marcus, Michaels, and later Home Depot customers were also revealed to be targets.
After the breach, multiple banks and consumers sued Target in Minnesota, where the company is headquartered. The lawsuits from both banks and consumers were grouped together into two consolidated class action complaints. Target filed a motion to dismiss the claims made by the financial institutions, but District Court judge Paul A. Magnuson ruled that the plaintiffs' claims were valid.
The National Security Agency has spied on hundreds of companies and groups around the world, including in countries allied with the US government, as part of an effort designed to allow agents to hack into any cellular network, no matter where it's located, according to a report published Thursday.
Armed with technical details of a specific provider's current or planned networks, agents secretly attempt to identify or introduce flaws that will make it possible for communications to be covertly tapped, according to an article published by The Intercept. Security experts warned that programs that introduce security flaws or suppress fixes for existing vulnerabilities could cause widespread harm, since the bugs can also be exploited by criminal hackers or governments of nations around the world.
"Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities," Karsten Nohl, a cryptographer and smartphone security expert, told The Intercept. "Because once NSA introduces a weakness, a vulnerability, it's not only the NSA that can exploit it."
by Sean Gallagher
The “wiper” malware that knocked Sony Pictures’ corporate network offline for over a week, now being called Destover, bears a striking resemblance not only to the “DarkSeoul” malware that struck South Korean companies last year, but the Shamoon “wiper” that struck Saudi Aramco in 2012, according to analysis by Kaspersky Labs and other security researchers. While there is nothing in the analysis that would tie the three attacks to the same malware developers, they all used similar techniques, as well as some of the same commercial Windows drivers to attack the hard drives of their victims.
In an e-mail exchange with Ars, Kaspersky Lab security researcher Kurt Baumgartner said, “Of the three, the Shamoon and Destover implementations share the most similarities, and based on these similarities it is possible that there was shared guidance or expertise between the two projects. All three share operational similarities.”
The Sony Pictures malware used commercial software to do its damage to the victim computers’ hard drives—the RawDisk library from EldoS, which allows Windows applications to gain direct access to disk hardware without having to run in administrator mode. As EldoS advertises on its website for RawDisk, the library “offers software developers direct access to files, disks and partitions of the disks (hard drives, flash disks, etc,) for user-mode applications, bypassing security limitations of Windows operating systems.” This allowed the malware to skip past any restrictive security permissions in Windows’ NTFS file system and overwrite the data on the drive, including the master boot record (MBR). (Further details of the malware's behavior are in Ars' updated analysis article.)
Seals certifying the security of e-commerce sites and other online destinations have long aroused suspicions that they're not worth the bits they're made of—much less the hundreds or thousands of dollars they cost in yearly fees. Now, computer scientists have presented evidence that not only supports those doubts but also shows how such seals can in many cases make sites more vulnerable to hacks.
The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that's prominently displayed on the homepage. Carrying images of padlocks and slogans such as "HackerProof," the marks are designed to instill trust in users of the site by certifying it's free of vulnerabilities that hackers prey on to steal credit card numbers and other valuable customer data.
A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover. Most strikingly, the researchers developed attacks that are enabled by a site's use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn't use the service.