Quantcast
Channel: INFOSEC
Viewing all 89 articles
Browse latest View live

Hackers Were Inside Neiman Marcus Computers For Months Before The Retailer Had Any Idea [Report]

0
0

Neiman Marcus Boston

(Reuters) - Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation.

Neiman Marcus said on Friday that hackers may have stolen customers' credit and debit card information, the second cyber attack on a retailer in recent weeks.

Neiman Marcus had said it first learned in mid-December of suspicious activity that involved credit cards used at its stores.

However, in a call with credit card companies on Monday, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, the paper said. (http://link.reuters.com/kyd26v)

Neiman Marcus spokeswoman Ginger Reeder declined to comment to Reuters on the New York Times report about the July hack attack.

"We did not get our first alert that there might be something wrong until mid-December. We didn't find evidence until January 1," Reeder told Reuters late on Thursday.

Neiman Marcus did not say how many credit cards were affected but said that customer social security numbers and birth dates were not compromised.

"Customers that shopped online do not appear at this time to have been impacted by the criminal cyber-security intrusion. Your PIN was never at risk because we do not use PIN pads in our stores," Chief Executive Karen Katz wrote in a letter to customers, a copy of which was posted on the company's website.

Katz said the company has taken steps to contain the situation, including working with federal law enforcement, disabling the malware and enhancing security tools.

The company is also assessing and reinforcing its related payment card systems, Katz said.

The U.S. government on Thursday provided merchants with information gleaned from its confidential investigation into the massive data breach at Target Corp, in a move aimed at identifying and thwarting similar attacks that may be ongoing.

(Reporting by Sakthi Prasad in Bangalore and Jim Finkle in Boston; Editing by Supriya Kurane)

Join the conversation about this story »


Snowden's Favorite Encryption Tool Is 'Not Secure'

0
0

snowden

A popular encryption tool used and endorsed by ex-NSA contractor Edward Snowden abruptly shut down on Wednesday, with its website telling users the tool is "not secure" without giving additional detail.

The decade-old tool — called TrueCrypt — allowed users to encrypt sensitive files and hard drives and was a favorite of security-minded individuals. One of those people was Edward Snowden, who hosted a "Crypto Party" in Dec. 2012 to teach a group of people how it to encrypt hard drives and USB sticks, while still working as a contractor for the NSA in a Hawaii.

But the sudden closure of TrueCrypt has led some to speculate the anonymous developers behind it had aroused the eye of the U.S. government and they decided to just throw in the towel. (Snowden's encrypted email service, Lavabit, suffered a similar fate).

The "advisory comes as a shock to the security community, though no one has been able to confirm its authenticity so far,"wrote Runa Sandvik, a developer of the Tor anonymous web browser, in Forbes.

Interestingly, the shut down came as a full-scale professional security audit of the TrueCrypt software was underway, led by Matthew Green, a cryptographer and professor at Johns Hopkins University, journalist Brian Krebs reported.

So far, the audit had not found anything suspicious in the code, but Green told Brian Krebs the fact TrueCrypt has been taken down could lead some to believe there's some "big evil vulnerability in the code."

"I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green told Brian Krebs. "But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."

Join the conversation about this story »

'The Internet Of Things' Is Full Of Major Security Holes For Hackers To Find

0
0

smart fridge

The surge of Web-connected devices -- TVs, refrigerators, thermostats, door locks and more -- has opened up huge opportunities for cyberattacks because of weak security, researchers said Tuesday.

A study by the Hewlett-Packard security unit Fortify found 70 percent of the most commonly used "Internet of Things" devices contain vulnerabilities, including inadequate passwords or encryption, or lax access restrictions.

"While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface," said Mike Armistead, vice president and general manager for Fortify's enterprise security.

"With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats."

The study comes amid recent security warnings about hacking of medical devices, cars, televisions and even toilets that have an Internet connection.

The researcher scanned the most popular devices and their cloud components and found on average 25 vulnerabilities per device. These products included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

The study said eight of 10 devices tests leaked private information that could include the user's name, email address, home address, date of birth, credit card or health information.

Most of the devices lacked passwords, making it easier for hackers or others to gain access while some included simple default passwords such as "1234."

Some 70 percent of the devices analyzed failed to use encryption for communicating with the Internet and local network, another weakness that makes for easy outside access.

HP said that while demand for these devices is surging, security has failed to keep pace, and this "opens the doors for security threats" from a variety of sources.

The study said some estimates indicate as many as 26 billion devices will be connected to the Internet by 2020.

"Fortunately, there's still time to secure devices before consumers are at risk," the report said.

Join the conversation about this story »

A Company That Does Background Checks For The US Government Was Victim Of 'State-Sponsored' Cyber Attack [Report]

0
0

U.S. Department of Homeland Security analysts work at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia on September 24, 2010.

WASHINGTON (Reuters) - A company that performs background checks for the U.S. Department of Homeland Security said on Wednesday it was the victim of a cyber attack, adding in a statement that "it has all the markings of a state-sponsored attack."

The computer breach at Falls Church, Virginia-based US Investigations Services (USIS) probably involved the theft of personal information about DHS employees, according to the Washington Post, which first reported the story.

DHS has suspended all work with the company amid an investigation by the FBI, the Post reported. A U.S. government official confirmed to Reuters that the FBI is investigating the breach.

The Office of Personnel Management has also suspended work with USIS out of an abundance of caution, it said, adding that government officials do not believe the breach has affected non-DHS employees.

“Our forensic analysis has concluded that some DHS personnel may have been affected, and DHS has notified its entire workforce” of the attack, department spokesman Peter Boogaard was quoted by as saying by the newspaper.

"We are working collaboratively with OPM and DHS to resolve this matter quickly and look forward to resuming service on all our contracts with them as soon as possible," USIS said in the statement on its website.

"We will support the authorities in the investigation and any prosecution of those determined to be responsible for this criminal attack," it said.

"Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack," the company said.

USIS says it is the biggest commercial provider of background investigations to the federal government, has over 5,700 employees and provides services in all U.S. states and territories, as well as abroad.

(Reporting by Eric Walsh; Editing by Eric Beech)

This article originally appeared at Reuters. Copyright 2014. Follow Reuters on Twitter.

Join the conversation about this story »

Defenders of the web: The people behind 7 influential security companies

0
0

cybersecurity

Browsing the web may be easy, but ensuring your digital safety is not.

That's why there are hundreds of companies around providing numerous products to safeguard consumers and companies from malicious actors. While many of these companies offer seemingly identical products, some of the best are not only protecting users but researching what hackers are doing and exposing them.

Here are a few of the most influential companies on the market today, the people behind these firms, and some of the important vulnerabilities they've brought to light.

 

Kaspersky Lab: Eugene Kaspersky

Kaspersky Lab was founded in 1997 by the storied Russian security specialist Eugene Kaspersky. From the beginning it has provided anti-virus software to large companies. But in the 2000s it expanded to offer more wide-reaching products including consumer and mobile security products.

Its researchers have been known to expose some of the most famous hacking groups and their malware. These include Flame — which was discovered in 2012 as a highly advanced cyber espionage program — as well as the Equation group, which was just announced this year as a clandestine computer spying ring. Kaspersky Labs’ headquarters are in Moscow, although it has over 30 offices globally. 



FireEye: Dave DeWalt

FireEye is a California-based network security firm. It offers services meant to manage networks for potential threats as well as offer its customers detailed threat intelligence. The company has joined forces with federal authorities, universities, and other security groups to discover and combat various malware. Most recently, FireEye discovered a group of hackers known as FIN4, which was targeting Wall Street to steal insider information.

Its CEO, Dave DeWalt, is a well-known heavyhitter in the cybersecurity scene. He worked as CEO of the security company McAfee, and then reportedly turned down 40 other positions until he settled on taking the helm at FireEye.



Palo Alto Networks: Nir Zuk

Founded in 2005, Palo Alto Networks is a network security company known for building advanced firewalls directed toward enterprise customers. Its founder, Nir Zuk, worked as an engineer at Check Point and NetScreen Technologies.

Most of Palo Alto Networks’ products revolve around network traffic. The company has also made some important malware discoveries, most recently a family of malware known as “WireLurker” that took direct aim at Apple products. 



See the rest of the story at Business Insider

The CEO of a wildly popular app that was used as a giant botnet fires back at his critics

0
0

ofer vilenski hola ceo vpn botnet accusation vulnerability

It has not been a good week for Hola.

The Israeli company is behind a wildly popular browser plugin and app that disguises users' identities online. Over the last few days, it has been hit with a deluge of negative press after it emerged that users of the service had had their computers hijacked and used as a giant "botnet" to attack a website

A botnet is a network of (normally) unwitting computers hijacked by a third party, and used to launch some kind of malicious attack, or just to overwhelm a web site or server with fake requests or traffic.

Exacerbating the criticism is the fact that Hola is openly selling its users' bandwidth via a commercial side project called Luminati, and researchers claim to have discovered a number of serious security vulnerabilities in the software.

After reports that users' computers had been hijacked and the company was selling users' bandwidth, Hola CEO Ofer Vilenski told Business Insider that the company"has been listening to the conversations about Hola... [and] have decided to provide more details about how this works."

Then, following the publication of two highly critical reports from security researchers, one accusing the company of"negligence, plain and simple," we reached out to Vilenski again. He told me the company has experienced some "growing pains," but that the security issues have since been patched — and hopes to grow into a "great billion dollar company."

What is Hola?

Based in Israel, Hola has 75 employees (around 35 of which are developers), and has received more than $20 million in venture capital funding since its launch. Before the current firestorm it had enjoyed positive press coverage, including CNN Money and here on Business Insider. Its website says it has more than 47 million users around the world.

So what does it do?

Hola lets users access websites that are unavailable or censored on their connections. A user might want to circumvent a workplace's block on Facebook, or to access a video streaming service not available in their country. To do this, Hola uses what is known as a VPN, or virtual private network.

Most commercial VPN services require users to pay to use them, but Hola is totally free (though offers a paid option). Why? Because while most companies like this own or rent dedicated servers to act as "exit nodes" through which the user accesses the internet, Hola pursues a different approach. Everyone is an exit node.

So, for example, when a British user sets their location on the tool as Norway, their internet traffic is being routed through the connection of a randon Norwegian user on the Hola network. And simultaneously, the British user's connection may be used as the exit node for a South African user to connect to the web. It's a peer-to-peer network that does away with the need for dedicated hardware — allowing it be offered as a free service.

Hola doesn't hide the fact it works on a peer-to-peer system, although it wasn't always immediately clear from the website that users will by default act as an exit node. (Users can also pay a premium subscription fee to opt out of this.)

Hola also sells its users' bandwidth

Hola also operates a second service — one that sells Hola users' bandwidth for profit. It's called Luminati, and its customers can hire the Hola network for their own purposes. The company suggests it can be used for brand monitoring or anti ad-fraud checks, but a salesperson told security researchers that the company has"no idea what [customers] are doing on our platform."

This can have dangerous implications — as Fredrik Brennan found out. He claims the Hola network was used to attack his website last week.

Brennan, often known by the online moniker "Hotwheels," is the administrator of 8chan, a countercultural online messageboard. The site was targeted by thousands of "legitimate-looking" posts, he wrote in a blog post, "prompting a 100x spike over peak traffic."

The Hola network — and the computers of users on it — had been used as a giant botnet, a network of hijacked machines intended to overwhelm the site, Brennan claims.

Before recent events, there was only a brief acknowledgement on Hola's site that the network might be used for "commercial" purposes, and no mention at all of Luminati, which has been in operation since at least October 2014. (A fuller explanation has since been added.) As such, it's doubtful that many users realise Hola is selling their bandwidth.

A Reddit thread from last week discussing the subject was filled users expressing their surprise and asking how to uninstall it. (And in an unscientific strawpoll of people I know who use Hola, none were aware that they were being used as an exit node on the network — much less that their bandwidth was being sold by Hola.)

"Even if they had said it all along in their FAQ,"wrote one commenter on news site Hacker News, "it's still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola's site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this."

Vilenski did not comment on how many clients Luminati has.

Security researchers pile on

Vilenski confirmed that Luminati had been used to mount the attack, though he told me last week that there was nothing uniquely vulnerable about Hola's VPN — the hacker "could have used any commercial VPN network, but chose to do so with ours." The attacker has since been blocked from the service.

Since then, however, security researchers have pointed out a number of further vulnerabilities in Hola's software.

It began with a report entitled "Adios, Hola!" that urged users to "immediately uninstall" the service. It said that Hola:

  • Lets users "be tracked across the internet, no matter what you do."
  • Makes users less secure by "[sending] traffic of strangers through your internet connection"— a reference to Hola's peer-to-peer model where everyone is an exit node.
  • "[Sells] access to third parties, and [doesn't] care what it's used for." When a researcher asked the company how it enforces its terms of service for Luminati, the company responded "we don't... we have no idea what you are doing on our platform."
  • Lets "anybody execute code on your computer." The researchers say they found a vulnerability in Hola that lets websites remotely execute code on a user's computer. They built an example that opened a calculator on Windows users' computers — but it could also be used for far more malicious purposes. Here's a video of the demonstration:

Following the publication of the report, Hola moved to patch the vulnerabilities, and Vilenski told me that the security vulnerabilities have now been fully patched.

But an update to the Adios Hola post disputes this, saying that "many of the issues are ignored, and some claims [in a Hola statement] are simply false."

It continues: "The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren't two vulnerabilities, there were six."

One of the researchers told Motherboard that"while some bugs were fixed, the most critical ones haven't been, making it still possible to hack Hola users."

Vilenski countered that he disagrees, and that he cares "more about my users than what that website says." He invites the researchers behind Adios Hola to present details of the six vulnerabilities that are allegedly still in effect.

That's not all: Vulnerabilties in Hola have allegedly been exploited in the past. A second security report, this time from Vectra, discovered 5 pieces of malware online "that contain the Hola protocol."

If true, this means that anyone who has used Hola in the past may have been actively targeted by hackers.

"Unsurprisingly," Vectra writes, "this means that bad guys had realised the potential of Hola before the recent flurry of public reports by the good guys."

Vilenski confirmed to me Hola was not aware of its vulnerabilities until the publication of the first report.

Hola hasn't alerted its users

Following an avalanche on negative publicity everywhere from the BBC to Motherboard, Hola updated its FAQ to explain more clearly the Luminati service, as well as a blog post in which the company says it fixed the vulnerabilities identified. The company's website now has a banner across the top explaining clearly that users' bandwidth may be used by others.

hola website

But Hola users may not understand the technical details of how their computers are being used by the company, and unless they visit the website again, they're unlikely to find out — because as Vilenski told me, the company has made no attempt to contact existing users to explain how the tool works or that their bandwidth is being sold for profit. Hola can't contact them. It apparently has no way to.

This also means Hola has not alerted users about the vulnerabilities on the platform either — vulnerabilities that have been used to target Hola users in the past (and according to some security researchers, are still active).

(The company also hasn't alerted its users via its Facebook or Twitter profiles, neither of which has been updated in several months.)

In theory, Hola could use its browser plugin to display a message explaining the peer-to-peer system, the nature of Luminati, and the vulnerabilities that may have compromised their computers. When I asked if he would commit to doing so, Vilenski told me that while it's a "good idea," but he "cannot make that promise."

The company does not want to be "technically intrusive."

Hola defends itself

Again, Vilenski claims that all the vulnerabilities Hola knows about have been patched, and says that researchers should explain exactly what they've found to the contrary, instead of accusing him of negligence.

Vilenski also says it's important to keep this in proportion. He argues that the vulnerabilities amount to "growing pains," similar to what has happened to other big companies in the past. If you put a "big enough bounty" on any product, vulnerability will be found, and Hola has "just become big enough to become attractive to this scrutiny."

He also argues that Hola's peer-to-peer system is analogous to Skype, which also uses a similar method to transmit data. But Skype will only route voice data through the computers of users on the network, while Hola uses web data — and also caches content on users' machines, Vectra's report says.

This means if you were being used as an exit node for someone browsing child pornography, then that illegal material would be being saved on your machine. Vilenski counters that it would be unwise to use Hola for illegal activity, as they keep a map of the traffic between nodes, and will cooperate fully with law enforcement.

Vilenski also says that, on average, a user will only give up 6 MB of bandwidth per day using Hola, and only when their device is idle. It will not use devices' bandwidth when not plugged in so as not to waste battery power, for example. However, he couldn't put a figure on what the maximum bandwidth usage might be.

The future of Hola?

Vilenski remains positive about the future of the platform. It has seen no meaningful decrease in users as a result of the recent news (though this may be at least in part because they haven't been widely notified), and every developer at the company is currently working to improve security. Hola is also paying for a security audit from one of the"big 4 auditing companies' cyber auditing team," and launching a bounty program to encourage researchers to discover and declare more bugs.

Looking ahead, Hola plans to launch a B2B video product that could cut the cost of distributing video on the internet by 90%. The aim is to "build a great billion dollar company," Vilenski told me.

It remains to be seen whether it can win back users' trust, however — or convince security professionals that its services can be relied on. And there are more immediate hurdles to overcome: The company's Google Chrome plugin, which once had more than 16 thousand positive reviews, has now been removed by Google from the Chrome Web Store.

Join the conversation about this story »

NOW WATCH: A Computer Just Solved A 400-Year-Old Math Problem About The Best Way To Stack Balls

HOOAH! These US military veterans now have big roles on Wall Street

0
0

drill sergeant

The American military has been breeding the US' top leaders since the day the Declaration of Independence was signed. 

But once they're done serving their country, many head to the financial services sector. 

That means bringing four-star general experience onto corporate boards, and, the mettle forged in jet fighting missions into management. 

That includes David Petraeus, who headed the CIA before resigning, and, later, taking a post at private equity firm KKR. Others might be surprised to see our list include Blackstone Group CEO Stephen Schwarzman. 

There are a lot of other Wall Street hot-shots, too. Big name banks like JPMorgan and Bank of America have launched ambitious initiatives to bring the military's finest to the forefront of financial services. Often, they're competing with private equity firms like Blackstone and KKR for top talent. 

They come from all branches of the US military: Army, Navy, Air Force and Marines. They also hail from the reserves. 

For this Veterans Day, Business Insider takes a look at some of the financial sector pros who first learned about hard knocks from a drill instructor. Have a look:

Kelsey Martin was a fighter pilot before joining Goldman Sachs

Kelsey Martin spent more than a decade with the US military, first studying economics at the US Naval Academy and then as a fighter pilot and as an electronic warfare instructor. After his time in the Navy, he headed to the Booth Business School at the University of Chicago for his MBA. A short stint at Morgan Stanley was followed by a 10-year run at Goldman Sachs, where he's currently employed, according to his LinkedIn profile. 



Steve Schwarzman did a stint in the reserves before launching his finance career

After a short stint at investment bank Donaldson Lufkin & Jenrette, a young Steve Schwarzman would briefly take a turn in the US Army Reserves before returning to the world of finance. Following his time in the reserves, Schwarzman would head to Harvard Business School, and then into Lehman Brothers, where his career in finance would take off. Today, he's the 38th richest man in the US, according to Forbes. 



Wesley Clark ran for president, then, ran to private equity

Former General Wesley Clark left the US Army at the rank of General after more than three decades of service in 2000. He would then go on to run for President of the United States — as a Democrat — in 2004 and remained active in politics afterwards. Clark made his move to PE in 2013, joining Steve Schwarzman's Blackstone Group. 



See the rest of the story at Business Insider

Online voting would be disastrous because hackers could hijack the democratic process

0
0

voting-station

During the 2012 American presidential election, 129 million people cast ballots, while 106 million eligible voters neglected to do so. That’s only a 54.9 percent conversion rate, not to mention the 51 million voters who weren’t registered. Meanwhile, in 2015, there were almost 172 million Americans making purchases online. Those are apples and oranges, admittedly, but the ease with which the shopping occurs only helps its proliferation.

If the ultimate goal is maximizing the country’s voting turnout, shouldn’t we develop an Internet voting system? Voting from a computer at home could be far easier than waiting in long lines at polling stations or filling out mail-in forms.

But can it ever happen?

“For as far into the future as I can see, the answer is no,” says David Jefferson, a computer scientist in the Center for Applied Scientific Computing at Lawrence Livermore National Laboratory. In May 2015, Jefferson examined the possibility of Internet voting in a paper called “Intractable Security Risks of Internet Voting.” For anyone who has ever owned a personal computer, the first problem is obvious: malware.

“Unless we were to re-design the Internet from the ground up, there’s not likely to be a solution to these problems.”

“We’re not even remotely close to guaranteeing that there’s no malware on your computer,” Jefferson says. The malware can do whatever task it’s programmed to accomplish, from erasing votes cast to changing them. And they can do these things without leaving any trace. “The malware might erase itself a half second later, and so there might be no evidence. And that’s one of half a dozen of problems.”

There are also the standard risks that come with any online activity. Denial-of-service attacks can shut down the voting system by overloading it. Mirror sites can trick voters into thinking their votes have been submitted, when really the information travels nowhere. Potential ransomware attacks can steal and encrypt votes, to be sold to the highest bidder. “Imagine the crisis if somebody encrypted the votes and said [to the government], ‘For one million, I’ll give you the key,’” Jefferson says. “Who would pay?”

Other scenarios are more insidious. A person using spyware can see who someone has voted for, allowing for scenarios that secret ballot attempts to solve: a person being outed for an unpopular vote, or punished for not voting a certain way. It might also increase the likelihood of selling votes: Spyware would allow an outside party to verify that a seller followed through, a prerequisite for any smart buyer.

“The only way to avoid bribery and/or coercion with remote voting is to have complicated voting and registration processes that allow voters to vote multiple times or use different passwords for true and bogus votes,” writes Poorvi Voorha, a professor of computer science at George Washington University, in an email. That means developing a system so complex and secure it takes away a lot of what makes the prospect of online voting appealing.

“Unless we were to re-design the Internet from the ground up, there’s not likely to be a solution to these problems,” Jefferson says.

The United States has attempted online voting before. In 2000, Arizona used it in the Democratic primary through the private website election.com. And while the stakes were relatively low (the amount of people voting in the primary was far below that of the general election), the system was still under heavy coercion from outside forces. “There was definitely an external attack on that system,” Jefferson says. This year, Utah gave it a whirl during the Republican primary, and while the effectiveness of that trial is still being weighed, the system involved a 30-digit PIN number that many voters did not receive in time to vote.

voting-estonia

Yet the country of Estonia has somehow, supposedly, already figured it out. The small country has been offering its 1.3 million citizens the ability to vote on the Internet since 2005; more than 30 percent of the country’s votes are cast online. How can a relatively small country with a gross domestic product one-fifth the size of the state of California do something America can’t? Because the Estonian system isn’t that great.

In 2014, an independent team from Michigan took a look at the Estonian voting procedures and found plenty of issues. The system uses home computers that are trusted not to be infected by malware. Vote counting is done on servers, hidden away from outside scrutiny, unlike the physical counting of ballots. “There are protections in place to make sure the servers aren’t compromised,” says J. Alex Halderman, an assistant professor of computer science and engineering at the University of Michigan who worked on the report. “But if they are, they can output any vote totals they want.”

“The only way to avoid bribery and/or coercion with remote voting is to have complicated voting and registration processes that allow voters to vote multiple times or use different passwords for true and bogus votes.”

In fact, the lessons from the Estonia system may simply be how good the old system is at preventing fraud. Sure, there are stories every election of votes being lost or miscast, and voter disenfranchisement and district re-jiggering are real problems that deserve scrutiny. But those problems are relatively out in the open, where they can be examined and corrected, and not hidden in the ones and zeroes of the digital world.

“There are advantages of old technology,” Halderman says. “If you make things less efficient to count, you are making fraud less efficient. Voting on paper has inconveniences and its share of flaws, but the problem with online voting is a single attacker who finds a single flaw.”

Halderman knows from experience. In the 2010 general election, Washington, D.C., piloted an Internet voting system. It was unique in that the officials urged the public to hack into the system as a way to test vulnerabilities and, perhaps, provide the public with proof of concept. Halderman and his team took them up on it. “Forty-eight hours after they started, we’d hacked in and changed all the votes from here in Michigan,” he says.

Right now, things aren’t looking good for Internet voting. But everything advances; technology adapts. At some point in the future, maybe even soon, the security flaws of online voting might be solved, right?

“I’m not sure we’re going to be able to get there, to be honest with you,” Halderman says. “In security, it comes down to the cat and mouse game. And the attackers are getting better as fast, if not faster, than the defenders.”

SEE ALSO: 11 things everyone is going to love about Apple's iOS 10

Join the conversation about this story »

NOW WATCH: How much money you need to save each day to become a millionaire by age 65


If you shopped at these 14 stores in the last year, your data might have been stolen

0
0

Sonic

  • At least 14 retailers were hacked and likely had information stolen from them since January 2017.
  • Many of these were caused by flaws in payment systems taken advantage of by hackers.

At least 14 separate security breaches occurred from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.

Data breaches are on the rise in both retailers and other businesses. According to Business Insider Intelligence, data breaches are a real danger for both brands and customers, and can affect customer's trust in brands.

According to a study by KPMG, 19% consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for a extended period.

SEE ALSO: I ordered the same items from Amazon and Walmart to see which site does it better — and they both had major flaws

Sears

Sears alerted customers on April 4 of a "security incident" with an online support partner [24]7.ai that may have resulted in up to 100,000 people having their credit-card information stolen.

The incident affected shoppers who bought items online from September 27, 2017 to October 12, 2017



Kmart

Kmart, which is owned by Sears Holdings, was also affected by the breach, the company reported on April 4.



Delta

Delta used the same online support service as Sears and was also affected by the reported breach.

The airline said customer payment information may have been vulnerable but did not estimate how many of its customers were affected.



See the rest of the story at Business Insider

Wireless Companies Ranked By How Much They Charge The NSA For Tapping Your Phone And Email

0
0

phone woman bar mystery question sad

Verizon has a nice little business going in wiretaps. It charges the federal government $775 to tap a customer's phone and then $500 a month after that to maintain it, making it the most expensive of the government's wireless service intelligence assets, according to the Associated Press.

Here is how the companies named in the NSA's PRISM domestic surveillance scandal stack up against each other, as ranked by what they charge for intelligence requests:

  • Phone taps
  • Verizon: $775 startup fee then $500 per month
  • AT&T: $325 "activation fee" and $10 a day afterward (~$310 per month)
  • Cricket: ~$250 per wiretap
  • U.S. Cellular: ~ $250 per wiretap
  • Sprint: $30 per month
  • Email access:
  • Microsoft, Yahoo and Google: ~$25 per account

This is a real business, by the way. The AP says AT&T collected $24 million in government fees between 2007 and 2011. Verizon collects $3-5 million.

Join the conversation about this story »

Japan Accidentally Leaks Emails And Sensitive Internal Communications

0
0

japan red fish market

As we learned today from Edward Snowden's preferred encryption email service, Lavabit, security is no good "unless you actually use it."

Cue the Japanese government, which set up a Google shared group and forgot to enable security.

From IT News:

An official at Japan's Ministry of the Environment created the group to share mails and documents related to Japan's negotiations during the Minamata Convention, a meeting held in Geneva in January to create international standards to limit international mercury use. But the official used the default privacy setting, leaving the exchanges open to searches and views in the months since. The information has now been removed.

Doh!

So, in essence, not only was the email compromised of anyone who mailed through that network, but all of their communications were available as well.

That's a potentially huge leak because it's like getting a look at the other team's playbook. Their negotiation strategies have been laid bare.

Japan is now conducting an internal investigation into the matter.

Join the conversation about this story »

REPORT: The Federal Government Wants To Know Your Account Passwords

0
0

password login screen

The federal government has made legal requests to more than one major internet company for the passwords to users' accounts, according to CNET.

The report is frustratingly thin on details.

But it represents an even worse scenario than the one posited by NSA leaker Edward Snowden, who claimed the feds have a program named PRISM that gives them access to the servers of Google, Facebook, Microsoft and other major web providers. The companies have denied that such a program exists, saying they only respond to specific legal requests about individuals.

Legal demands for password, as reported by CNET, go beyond the mere one-time production of data from a users' account, of course. On Google, for instance, once someone has the password to your Gmail account they've got lengthy access to your calendar, search history, Drive docs, Gmail chats, and maybe your Google+ account.

CNET reports the unnamed companies have pushed back on the demands.

SEE ALSO: Microsoft Tells The Obama Administration: 'The Constitution Is Suffering' Under PRISM

Join the conversation about this story »

Obama's 'Independent' Review Of Mass Spying Is Destined For Failure

0
0

AP110310110082

In the wake of seemingly endless leaks from ex-NSA contractor Edward Snowden, President Obama's attempt to manage the political fallout seems destined to fail.

On Friday, Obama announced that he would form a "high-level group of outside experts" to review intelligence and communications technologies. This group, Obama said, would be "independent" — able to step back freely — to review surveillance technologies and "consider how we can maintain trust of the people."

It only took the weekend for much of any trust in that group to fade.

On Monday, Director of National Intelligence James Clapper confirmed that yes, the review group would happen. He also confirmed that, yes, he would be establishing it.

This is the same James Clapper who gave false information to Congress when asked whether the NSA was collecting data on Americans. He later apologized.

Perhaps most interesting in Clapper's statement on Monday is the absence of wording used on Friday: independent, and outside. In an expanded statement, the White House said the group would present their interim findings to his office, and the final report would go "through the Director of National Intelligence."

"In practice — not theory — Clapper gets to chop the draft of the interim and final reports, and the Office of the Director of National Intelligence would — again, in practice — assist in selecting the members of the review group," Robert Caruso, a former assistant command security manager in the Navy and consultant, said in an email.

This arrangement is sure to arouse suspicions, with many Americans showing distrust after leaks of previously unknown spying programs. Even Sen. John McCain (R-Ariz.), a veteran politician and national security hawk, admitted as much to Fox News Sunday:

“Right now there’s kind of a generational change. Young Americans do not trust this government,” McCain said.“Without trusting government you can’t do a lot of things.”

Still, Caruso believes there can be good to come from such a review. "I trust [Clapper] has the best intentions at heart." But on whether that final report would be transparent or heavily redacted, he told me, "we'll have to wait and see."

Join the conversation about this story »

Wikileaks Just Released A Massive 'Insurance' File That No One Can Open

0
0

Anti-secrecy organization Wikileaks just released a treasure trove of files that, at least for now, you can't read.

The group, which has been assisting ex-NSA contractor Edward Snowden after he leaked top-secret documents to the media, posted links for about 400 gigabytes of files on their Facebook page Saturday, and asked their fans to download and mirror them elsewhere.

Here's the cryptic post:

wikileaks mirror files

The organization posted the same message about its "insurance" files to Twitter.

You can download the files via torrent but since they are encrypted — and Wikileaks has not yet provided the key — you won't be able to open them.

We can garner at least one thing of note from the file names alone: They probably have a very high level of encryption. The end of the files, "aes256," likely stands for Advanced Encryption Standard-256 bits.

It's a way of locking up your files that even the NSA has approved for use on top-secret data.

What's in the files is anyone's guess for now, but there's already plenty of speculation.

SEE ALSO: TIME Journalist: I Can't Wait To Write About The Drone Strike That Kills Julian Assange

Join the conversation about this story »

Trying To Hide Online Just Puts You On The Government Radar

0
0

NSAIf you want to maintain your privacy online, it seems the only way to do it these days is to turn off your computer.

All of the big tech companies are bound by the Patriot Act and receive National Security Letters (NSL's) from the government asking them to turn over user data when it's "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities."

It's pretty well known that if you use services like Google and Facebook, you shouldn't expect much when it comes to privacy. But if you prefer to stay off the grid, what can you do?

For the average Internet user, the options are dwindling.

On Aug. 5, researchers discovered the Tor service, known for anonymizing its users' web browsing, was actually revealing user data which they believe had a "high likelihood" of being sent back to the NSA. Just days later on Aug. 9, two U.S.-based providers of secure email services voluntarily shut down. Both were preemptive efforts to protect their users from government eyes.

These aren't new developments. In 2007, Canada-based encrypted email provider Hushmail turned over emails to the DEA in response to a court order.

But even advanced users knowledgeable in encryption have reason to fear.

"With the tapping of backbone internet providers, interested parties can now see all traffic on the internet," wrote Louis Kowolowski of Silent Circle, one of the encrypted email services that was shuttered. "The days where it was possible for two people to have a truly private conversation over email, if they ever existed, are long over."

Perhaps more interesting is a slide detailing the formerly secret "XKEYSCORE" program run by the NSA and leaked by former contractor Edward Snowden.

"How do I find a cell of terrorists that has no connection to known strong-selectors?," a question on the slide reads. The answer: "Look for anomalous events."

Among the anomalous events is "someone who is using encryption" or someone searching "for suspicious stuff."

According to the NSA, if you are using encryption — that is, trying to make sure no one besides the person you just emailed is reading the words you have typed — you are lumped in with terrorists.

It's the digital equivalent of a police car patrolling your neighborhood and deeming your home suspicious because the blinds are shut.

As former intelligence analyst Joshua Foust writes in an essay titled "Face It: Privacy Is Dead," it's pretty tough to stay off the radar when the Internet was created by the government to begin with.

He writes:

When people really want to keep their data secret, they invest heavily in the infrastructure to do so. The intelligence community went to the expense of building its own alternate networks to keep their data safe (so long as they’re not broken by construction crews in Tyson’s Corner, VA). It also forbids the use of cell phones, cameras, and even CD players in its intel facilities. When they were not prohibited, like at Bradley Manning’s base in Iraq, a massive breach occurred.

But the average citizen can't afford — nor would it even make sense — to build a system such as the military's SIPRnet to communicate with others. Instead, we have cheap alternatives such as PGP that aren't exactly a breeze to set up.

So the alternative it seems is not one you want to hear: If you really value your privacy, turn off your cell phone, unplug your network cable, and only talk face-to-face. Foust may be right when he deems online privacy dead, but more compelling is that the government has effectively deemed it illegal.

SEE ALSO: Government Reportedly Threatened Arrest Against Founder Of Snowden's Encrypted Email Service

Join the conversation about this story »


Hacker Reveals How Devastating A Cyberattack On The Stock Market Could Be

0
0

 excitable nyse trader

Of all the horrifying scenarios that hackers could pull off — from launching nukes to spoofing air traffic control— the one that poses the biggest risk for Wall Street would be a cyber attack on equity markets.

In the summer issue of hacker magazine 2600, pseudonymous writer "Eightkay" shows how such a scenario could pan out:

Now imagine this attack scenario. Agents of an enemy of the United States successfully break into the mainframes of a High Frequency Trading Company, Dark Pool Crossing Network, or Brokerage Company. They infect the system with rogue trading algorithms or change the code on currently deployed algorithms. In a single coordinated attack, they buy and sell millions of shares of a single company or multiple companies, causing trading to halt or decimating the value of a single stock. Multiply that by 100 stocks of the top Fortune 500 companies and we have market collapse. Trading for the day would halt and Uncalculated economic damage would be done.

The days of screaming floor traders have long passed as computers now make financial moves in microseconds. The shift has already given way to (non-hacker initiated) computer glitches costing serious money: Knight Capital lost $450 million in 2012, and Goldman Sachs is still trying to get to the bottom of $100 million in botched trades

Hackers were able to "repeatedly [penetrate] the computer network" of the Nasdaq Stock Market in 2011 — although they luckily weren't able to make it into the exchange trading platform.

And a report from Reuters in July of this year found 53% of the world's securities exchanges had experienced at least one cyberattack in the last year. Most were simple denial-of-service or virus attacks — but they are getting better.

"Cybercrime also appears to be increasing in terms of sophistication and complexity, widening the potential for infiltration and large-scale damage," the report read.

While there are safeguards such as market monitors and circuit breakers, "Eightkay" writes, "this attack could happen quickly, rapidly, and across multiple fronts" laying waste to investor confidence and damaging the economy.

It's also worth noting that "Eightkay" doesn't advocate such an attack or show how it can be pulled of in his column. He's simply sounding the alarm bell.

SEE ALSO: The 7 Deadliest Computer Hacks Known To Mankind

Join the conversation about this story »

REPORT: Millions Of Android Users Vulnerable To Security Breaches

0
0

Android Phones

Millions of Android smartphone users are susceptible to security vulnerabilities such as viruses and malware, according to an internal bulletin prepared by the Department of Homeland Security and the FBI.

The July 23 bulletin, obtained by the website Public Intelligence, reveals that Android — as the most widely used mobile OS — continues to be the target of attacks due to "its market share and open source architecture."

"44 percent of Android users are still using version 2.3.3 through 2.3.7 — known as Gingerbread — which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions," the bulletin reads.

Android leads the smartphone market, with roughly 80% global market share. While more popular in the consumer, rather than the public sector, the bulletin warns that software needs to be kept up-to-date as more federal, state, and local authorities use Android.

The bulletin describes some of the threats if the OS isn't updated to the latest, and more secure software. These include viruses that send out text messages without the user's knowledge, and "rootkits," which are able to log user locations and passwords.

The current 4.3 version of Android, known as Jelly Bean, is considered much safer — with a built-in feature that allows users to scan installed apps for signs of malicious or dirty code, according to Phandroid.

Join the conversation about this story »

DOCUMENTS: NSA Has 'A 100% Success Rate' Putting Spyware On iPhones

0
0

NSA iphone

All Apple devices have been successfully infected by the NSA with spyware, according to new documents published by Der Speigel, the German magazine.

We first saw the story on The Daily Dot, and it is chilling:

An NSA program called DROPOUTJEEP allows the agency to intercept SMS messages, access contact lists, locate a phone using cell tower data, and even activate the device’s microphone and camera.

... According to leaked documents, the NSA claims a 100 percent success rate when it comes to implanting iOS devices with spyware. The documents suggest that the NSA needs physical access to a device to install the spyware—something the agency has achieved by rerouting shipments of devices purchased online—but a remote version of the exploit is also in the works.

Here's a copy of a NSA document explaining how "DROPOUTJEEP," its Apple spyware, works:

nsa apple S3222_DROPOUTJEEP

It's not the first time we've seen documents alleging that the NSA spies on Apple customers. NSA leaker Edward Snowden produced an NSA document that calls Steve Jobs "Big Brother" and his customers "zombies."

This video lecture was published today by the journalist who got the scoop:

In the speech Applebaum all but accuses Apple of cooperating with the NSA to allow the agency to access any iPhone:

"[The NSA] literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I'd like to believe that since Apple didn't join the PRISM program until after Steve Jobs died, that maybe it's just that they write sh---y software. We know that's true."

SEE ALSO: Purported NSA Slides Refer To iPhone Owners As 'Zombies' And Steve Jobs As 'Big Brother'

Join the conversation about this story »

Hackers Were Inside Neiman Marcus Computers For Months Before The Retailer Had Any Idea [Report]

0
0

Neiman Marcus Boston

(Reuters) - Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation.

Neiman Marcus said on Friday that hackers may have stolen customers' credit and debit card information, the second cyber attack on a retailer in recent weeks.

Neiman Marcus had said it first learned in mid-December of suspicious activity that involved credit cards used at its stores.

However, in a call with credit card companies on Monday, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, the paper said. (http://link.reuters.com/kyd26v)

Neiman Marcus spokeswoman Ginger Reeder declined to comment to Reuters on the New York Times report about the July hack attack.

"We did not get our first alert that there might be something wrong until mid-December. We didn't find evidence until January 1," Reeder told Reuters late on Thursday.

Neiman Marcus did not say how many credit cards were affected but said that customer social security numbers and birth dates were not compromised.

"Customers that shopped online do not appear at this time to have been impacted by the criminal cyber-security intrusion. Your PIN was never at risk because we do not use PIN pads in our stores," Chief Executive Karen Katz wrote in a letter to customers, a copy of which was posted on the company's website.

Katz said the company has taken steps to contain the situation, including working with federal law enforcement, disabling the malware and enhancing security tools.

The company is also assessing and reinforcing its related payment card systems, Katz said.

The U.S. government on Thursday provided merchants with information gleaned from its confidential investigation into the massive data breach at Target Corp, in a move aimed at identifying and thwarting similar attacks that may be ongoing.

(Reporting by Sakthi Prasad in Bangalore and Jim Finkle in Boston; Editing by Supriya Kurane)

Join the conversation about this story »

Snowden's Favorite Encryption Tool Is 'Not Secure'

0
0

snowden

A popular encryption tool used and endorsed by ex-NSA contractor Edward Snowden abruptly shut down on Wednesday, with its website telling users the tool is "not secure" without giving additional detail.

The decade-old tool — called TrueCrypt — allowed users to encrypt sensitive files and hard drives and was a favorite of security-minded individuals. One of those people was Edward Snowden, who hosted a "Crypto Party" in Dec. 2012 to teach a group of people how it to encrypt hard drives and USB sticks, while still working as a contractor for the NSA in a Hawaii.

But the sudden closure of TrueCrypt has led some to speculate the anonymous developers behind it had aroused the eye of the U.S. government and they decided to just throw in the towel. (Snowden's encrypted email service, Lavabit, suffered a similar fate).

The "advisory comes as a shock to the security community, though no one has been able to confirm its authenticity so far," wrote Runa Sandvik, a developer of the Tor anonymous web browser, in Forbes.

Interestingly, the shut down came as a full-scale professional security audit of the TrueCrypt software was underway, led by Matthew Green, a cryptographer and professor at Johns Hopkins University, journalist Brian Krebs reported.

So far, the audit had not found anything suspicious in the code, but Green told Brian Krebs the fact TrueCrypt has been taken down could lead some to believe there's some "big evil vulnerability in the code."

"I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green told Brian Krebs. "But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."

Join the conversation about this story »

Viewing all 89 articles
Browse latest View live




Latest Images