Uber Accused of Skipping Out of Paying Bug Bounties

With all the apps and systems that are used, created and updated every day it is often impossible for you to be absolutely certain about their security. This resulted in the creation of external help through schemes like bug bounties unless your Uber who change the scope of what bug bounties they’ll be paying.

Bug bounty schemes are simple. If you find a problem in the code or system that a company uses, you report it to the company running the scheme and if they find it was a problem, you get paid. Even Microsoft and GitHub run schemes to help narrow down and find problems with their software. The issue comes here is that only this week popular taxi alternative app Uber launched its own bug bounty scheme.

Sean Melia found a few issues or rather a few admin panels/ports that were open. This fell in line with what Uber wanted under the grouping of “publicly accessible login panels” and “exposed administration ports (excluding OneLogin)”. After reporting the first issue which was quickly accepted as a bug, Melia went about finding others resulting in the large group he ended up reporting. The problem was that by this time Uber had updated their documentation to make these reports invalid, without informing people using the scheme. Free security support anyone?

The reason for the change? Ubers security engineering manager, Collin Greene, has stated they changed the rules so that they stopped researchers wasting their time on minor bugs. Greene then stated that “a successful bug bounty rests on researchers trusting us to run it well, which we take very seriously”, something that may not go down so well when you are willing to change the goalposts without telling people.

Was Uber right in this case? Should they have acted differently? A problems a problem, even with a lesser payment, should Melia have received something given that he did the work under the old rules?

Hackers Leave Advice for Breached Security Company

Security firm Staminus servers have been taken offline today, following a supposedly successful cyber-attack on their network. The Newport Beach, California-based hosting and distributed denial of service (DDoS) protection company went down at 8 am EST on Thursday, with the company communicating details of the event via Twitter citing it as a “rare event [that] cascaded across multiple routers in a system-wide event.”

This ‘rare event’ was quickly revealed to be a far more deliberate malicious act against the company, with a data dump of Staminus’ servers being posted to the internet shortly afterwards. This leak contained the details of a large number of customer names and email addresses as well as their database table structures, routing tables and other crucial operational information. An unnamed Staminus customer verified the contents of the hack, confirming that his details were among those released in the dump. The posters of the dump declared that they had managed to gain access to all of Staminus’ routers and networked systems, resetting them to factory settings.

The dump begins with a note from the hackers responsible for the breach, titled “TIPS WHEN RUNNING A SECURITY COMPANY.” This preface detailed a number of security flaws found while breaching Staminus’ systems in a sarcastic style:

  • Use one root password for all the boxes
  • Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
  • Never patch, upgrade or audit the stack
  • Disregard PDO [PHP Data Objects] as inconvenient
  • Hedge entire business on security theatre
  • Store full credit card info in plaintext
  • Write all code with wreckless [sic] abandon

While no credit card information was visible in the dumped data, doing so unencrypted goes against Payment Card Industry (PCI) security standards and inappropriate for any company handling such details, especially one claiming to be in the security business.

Also laid bare was the colourful selection of customers that Staminus served. From a number of small gaming server operators, including those for Minecraft all the way to the Ku Klux Klan, it was found that the KKK’s official website was in fact hosted by Staminus, as well as a number of affiliated sites such as the American Heritage Committee.

While Staminus claimed that service had been restored globally, many customers took to Twitter claiming that it was not the case. Since then, the only communication from the firm has been the announcement of a statement from their CEO, which is linked to their (currently offline) site. When Staminus will regain full functionality of the network is anyone’s guess, however, it will be interesting to see how the company will recover from this major event.

Pirates Identify Booty by Hacking Shipping Company

When people talk about “pirates” and “hacking” together, it usually refers to those who release versions of software with the digital rights management systems removed or disabled. In this case, it was different. Revealed as part of Verizon’s 2015 Data Breach Investigation Report, Verizon’s RISK security response team were called in to assist a global shipping company who had fallen victim to network intrusions that were in turn used to assist in high-seas piracy.

The incident first came to light when the shipping company noticed an odd pattern in the attacks of pirates on their vessels. Instead of the typical approach of ransoming the crew and cargo of a target ship, the pirates instead operated hit-and-run attacks, seizing specific high-value shipping containers and making off with it alone.

The response team discovered that the shipping company had used a “homegrown” Web-based content management system to manage the content of their cargo ships. Upon analysis, it turned out that a malicious shell script had been uploaded to the server via a vulnerability in the software. The script gave the pirates backdoor access to the server, allowing them to upload and download files, including the bills of lading for the ships, as well as compromising a number of user passwords.

Mistakes made by the hackers allowed the hack to be uncovered easy by the response team, the primary one the script’s use of plain HTTP instead of making use of the server’s support for SSL encryption. This exposed every transmission of data to and from the server by the pirates when using the script. When put together, the team were able to see every command issued by the hackers, including a large number of spelling mistakes made in their commands. So while these cyber-attacks were certainly effective while paired with the physical attacks on the ships, those perpetrating the attacks were seemingly amateur. The biggest flaw in their hacks, however, was a complete disregard for operational security, using no proxies or other intermediaries, instead connecting directly from their home network. As a result, all it took to end the attack was the banning of the pirate hacker’s IP address.

Cyber-crime may be a serious threat in the world today, however, events like this have proven that attacks that combine both cyber and physical elements can be the most effective. Thankfully in this incident, the hackers proved themselves to have a level of incompetence that allowed them to be thwarted, but companies should be sure, more than ever, to defend themselves, not just in the physical world, but the online too.

‘Anti-IS’ Hackers Tested Abilities On BBC Website

Three days ago we reported on the BBC’s web services being down, from their website to iPlayer, their on-demand streaming service. It has now00000000000000000000 come to light at that a group has claimed responsibility, stating that the attack was just to test their capabilities.

The group calls itself New World Hacking and in their message they claim that “it was only a test” and they then go on to state that “we didn’t exactly plan to take it down for multiple hours. Our servers are quite strong”. The group claims it carried out the attack, a distributed denial of service attack (DDOS), a method which sees websites and servers knocked offline by swarming the system with more traffic than it can handle.

Claiming to be based in the US they stated in a tweet to BBC technology correspondentRory Cellan-Jones and were striving to “take down Isis-affiliated websites, also Isis members”.

A group member, calling himself Ownz, claimed that the team is formed of twelve people, eight male and four female, who started working together back in 2012 and have since taken part in operations against the Ku Klux Klan and #OpParis, both activities designed to track down, name and expose people who use the internet as a tool.

The group claims it will use the technique against IS websites and a new list of targets, associated with the group, from Tuesday.

Image courtesy of the BBC.

New Firefox Testing Feature Warns Of Insecure Website Password Submission

Consumers are exposed to a myriad of cyber threats which are intent upon harvesting as much information as possible, from bogus emails offering state cash refunds to spoofed pages which purport to be from a genuine vendors, but are in fact aiming to collect sensitive consumer details. Well known and popular browser Mozilla Firefox have recognised the importance of alerting consumers to the security of password submission by offering a simple yet important safeguard within the latest Firefox Nightly build.

The security measure in question is in the form of a faded crossed out padlock icon within the address bar of the browser, thankfully it’s more useful than simply a new icon. The aim of this new feature is to warn consumers if a password field is not submitted over HTTPS and thus regarded as insecure. If a consumer clicks on the icon it will provide further details as to why a particular site is considered insecure, below is an image to convey the change. This feature is currently “only in testing as part of Firefox 44 Nightly”.

This new yet simple feature is a good way of informing consumers as to the risks of submitting a password over an insecure method, cyber security is a hot topic and the more every individual knows the better. It will be interesting to note the rollout timescale of this feature once Firefox confirms it for its finished builds. On a side note, let’s hope consumers actually update their browsers in order to benefit from the latest security fixes, I bet many a reader knows someone who is running a version of Firefox that is at least 10 versions behind that of the currently available.

Image courtesy of technodyan

Hackers Can Control Siri and Google Now Silently and Remotely

Even though Apple and Google’s operating systems and apps are usually relatively safe from hackers, at least compared to other similar software, it looks like hackers have found a way to control Siri and Google Now from up to 16 feet away and without having to say a single word. The vulnerability was discovered by the French Network and Information Security Agency, whose experts notified Apple and Google immediately. This means that a fix is most likely imminent and that hackers won’t have too much time to exploit the flaw, but it’s still quite alarming that they were able to pull off such an impressive trick in the first place.

The hack only works if the targeted device has a pair of microphone-enabled headphones plugged in, and only if Siri or Google Now is enabled. Using a nearby laptop equipped with an open-source radio software, an antenna and an amplifier, the hacker can “transform” the device’s headphone cord into an antenna that receives radio waves. These radio waves are interpreted by Google Now or Siri as actual voice commands that are executed immediately. As for solutions, there are several that could be implemented in the future, but for now, it’s probably a good idea to disable Google Now or Siri on your device if you’re concerned about a potential attack. Adding an electromagnetic sensor in smartphones in order to block hacking attempts could be a viable solution, but manufacturers could also try to protect the headphone cords better by adding some extra shielding.

Do you have any ideas for potential fixes?

Thank you AbcNews for providing us with this information.

NCA Warning After Hackers Steal £20 Million from UK Bank Accounts

The UKs National Crime Agency have urged the people of Britain to ensure they take adequate measures of online security after a significant strain of malicious software allowed criminal hackers to steal an estimated £20 million from UK bank accounts.

The highly skilled malware developers are thought to be based in Eastern Europe. The details that are collected are then exploited to steal money from individuals and businesses globally. The NSA has reported one significant arrest in relation to the multi-million pound scam. However, only after thousands of computers had already been infected by the Dridex malware known as Bugat and Cridex, with the majority of computers being Windows based machines.

Computers can become infected with the virus when users open documents in emails they believe to be legitimate. I myself have recently received emails proclaiming to be from PayPal stating: “Your PayPal account has been limited! Take a few moments to confirm your information. After you do, you can shop online and send money using your account.” After checking PayPal directly (not through the given link) I establish that there was no such limitation on my account.

To avoid becoming an unwilling victim of the costly Dridex malware the National Crime Agency is encouraging all internet users to ensure they have up to date operating systems and anti-virus software installed on their machines, to protect themselves from further cybercrime attacks. The NSA also urged users to visit the CyberStreetWise and GetSafeOnline websites where they state there is a number of anti-virus tools are available to download to help clean up infected machines; these sites also are a great way to gain further advice on how to protect yourself in the future.

Mike Hulett, Head of Operations at the National Crime Agency’s National Cyber Crime Unit said:  “This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to be made.”

What measures do you take to ensure your online security? Let us know down in the comments below.

Thank you National Crime Agency for providing us with this information.

Ashley Madison Ex-CTO Hacked Competing Website

Adultery website, Ashley Madison is at the forefront of a hacking scandal despite reassurances about the site’s confidentiality. The data released includes information on members, their activity and the CEO’s e-mail correspondence. In an ironic twist, leaked documents show that the CTO in collaboration with employees, and the CEO of parent company Avid Life Media, discovered a security flaw in rival site, Nerve.com.  The company accessed the competitor’s entire database and had the ability to change records for their own purpose. A snippet from the e-mail exchange provides an insight into their ruthless strategy:

“They did a very lousy job building their platform. I got their entire user base,”

“Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

In a hilarious twist, Raja Bhatia, the founding chief technology officer outlined the company’s own security problems before allegedly hacking a competing site:

“With what we inherited with Ashley[Madison.com], security was an obvious afterthought, and I didn’t focus on it either,”

“I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.”

Ashley Madison is a very devise website, and its CEO isn’t the most lovable of characters. Furthermore, if the company conducted hacking as suggested in the e-mails, they could be prosecuted under the Computer Fraud and Abuse Act. Personally, I have very little sympathy for a company which promotes cheating, and supposedly engages in the behaviour it becomes outraged by.

Thank you Wired for providing us with this information. 

Hackers Post 10GB Stolen Data as Ashley Madison Stays Online

It has been a while since hackers attacked the online cheating site Ashley Madison where the hackers claimed that they had downloaded pretty much all relevant information about the users from the site. For those who don’t know it, Ashley Madison is an online dating site specifically designed and advertised to married people who want to cheat on their partner. A pure disgrace in my book that a site like that is allowed to stay online, but that is beside the point right now.

The hackers wanted the site to shut down and threatened to release the user data if that didn’t happen. The site didn’t give in to the blackmail as it looks to be a very lucrative operation, even though they’ve exposed for having 90-95% male profiles and most female profiles being faked by the company. I don’t think that women cheat less than men, perhaps they’re smarter about it.

Now the hackers have made good on their promise and released 10GB stolen data that includes not only usernames and emails, but also appears to contain credit card information to pay for the membership as well as many other personal information. While the site doesn’t verify the profiles in any way and it is possible to create fake profiles with any email you wish, it’s still scary how many government email addresses were found in the database.

Avid Life Media, the company behind Ashley Madison, condemned the release of the data with a statement: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

All the information has been posted to the “Dark Web” that only can be accessed through the Tor browser. It will be interesting to see what new dirt will show up as experts dig through the data and decrypt the parts that were secured.

Thank You Wired for providing us with this information

Hosting Companies Could Be Hit With New DDoS Attack

Denial Of Service (Or DDoS) attacks have become more and more frequent in recent years with the expansion of the internet and the speeds it can deliver information. A denial of service attack is pretty simple, you find the device you wish to disrupt and send as much data as you can to it, this means that the device quickly becomes overwhelmed and unresponsive, this can be anything from your home router to a world championship tournament.

Level 3 Communications is an American telecommunications and internet service provider company and is considered one of the main bodies for internet within the US. Their chief security officer, Dale Drew, has warned that people may have figured out how to abuse Portmap services to conduct a new form of DDoS attack, one which could have the “potential to be very, very bad”.

Portmap is an open source utility used on both Unix and windows systems, meaning that all operating systems will potentially be open to this new kind of attack. Portmap works by mapping a location and port number to essentially bind and access anything from a networked hard drive to accessing your computer from work over the internet. Either way when someone says that these ports are often left open, you can understand why being able to send lots of unwanted information to a home system could become a problem.

When ports are queried they tend to respond with lots of information about the system or just why it’s saying “NO!”. The problem you often have though is that when you get a response, groups are able to redirect this information to other networks, causing the DDoS attack, all the while the information is coming from your average family router at home.

This particular type of attack is aptly called a DDoS amplification attack, as you can probably tell, it will often result in a lot of people being affected, normally by abusing systems which a lot of people don’t realise are doing anything bad.

Level 3 has contacted ISP’s and forwarded details of those running open Portmap servers, hoping that this way they can quickly resolve the issue before it’s abused too much.

Thank you PC World for the information.

Image courtesy of West End Solutions.

Ukrainian Hackers Helped US Insider Trader Earn $100 Million in Illegal Profits

An unlikely union between a bunch of Ukrainian hackers and unscrupulous US stock traders yielded profits of up to $100 million through illegal insider trading. The hackers stole confidential press releases, which it then made available to traders, over the course of five years, US authorities have revealed.

Nine people have been charged with insider trading after they were found to have used around 150,000 fraudulently obtained press releases relating from Business Wire, Marketwired, and PR Newswire. It is believed that the traders would put together a ‘shopping list’ of releases for the Ukrainian hackers to obtain. The helpful hackers even went so far as to create video tutorials, instructing traders how to exploit the information held within the press releases.

“This is the story of a traditional securities fraud scheme with a twist – one that employed a contemporary approach to a conventional crime,” Diego Rodriguez, FBI Assistant Director-in-Charge, said at a news conference.

“This case illustrates how cyber criminals and those who commit securities fraud are evolving and becoming more sophisticated,” U.S. Attorney Paul Fishman in New Jersey added. “The hackers were relentless and they were patient.”

The data theft could spell the end for the traditional business news wire outlets, already bypassed by companies such as Google, Microsoft, Wal-Mart, and Tesla, which have taken to publishing important information to their own websites instead.

Thank you Reuters for providing us with this information.

Hacked to Death: How Hackers Can ‘Kill’ You

Hackers can steal your details, your money, and even your identity, but at least victims of such attacks still had their health, eh? Not anymore: industrious keyboard-tappers can actually kill you. As in, a malicious computer-user can use a global exploit to have a living person declared legally dead.

The technique for ‘killing’ someone online was revealed by Chris Rock, Chief Executive Officer of Australian security company Kustodian at the DEF CON security conference last week. Using the exploit, Rock posed as both a doctor and a funeral director to have death certificates issued for both friends and enemies.

“I have not contacted any vendor for fixes. Here is the definition of irresponsible disclosure,” Rock told attendees of the conference, his actions designed to expose that “it’s not so much a vulnerability – it’s a [mistake.] And it’s a global [mistake].”

The same security hole allows people to create birth certificates, so you can invent your very own virtual baby, which could be a long-term method of selling fake identities.

Rock later outline his technique, speaking to Passcode. Essentially, when someone dies, the doctor gets called in,” he explained. “They’ll check your pulse, fill out a certificate of death with what you actually died of – and obviously all your personal details, like your name and that sort of stuff. The certificate of death is a two-part document. It gets passed on to the funeral director to fill out his portion of the document.”

“The Americans have moved on to a system called EDRS [Electronic Death Registration System]. So doctors, on the Internet, can actually register a death online, and a funeral director can actually take that case and bury the body.”

“The Australian system is identical. The Canadian system is identical. They’re all following, now, an online presence because governments want accurate, centralized death records.”

Rock then detailed the crux of the vulnerability: “The vulnerable spots are both the doctor and the funeral director’s access to the online portal. They have a DIY [do-it-yourself] access.”

So, what can be done to prevent this? It’s out of our hands, Rock says, but he hopes his work will motivate governments to shore up security. “The government first needs to look at it,” he concludes. “If you’re going to unroll a system this large to doctors and funeral directors, you actually have to put some security controls around it. The message is: Before you roll something out, have some penetration testers look at it first.” He jokes, “A phone call would have been nice.”

Thank you The Christian Science Monitor: Passcode for providing us with this information.

Hack Targets Email System Of The Pentagon

NBC news is reporting information which has been supplied by US officials who have stated that Russia has launched a “sophisticated cyber attack” with the aim being the Pentagon’s Joint Staff unclassified email system.

The email system has since been shut down by being taken offline for almost two weeks. The attack happened “sometime” around July the 25th 2015, this has affected around 4,000 military and civilian personnel who work for the joint chief of staff. I love how specific highly trained government officials are behaving concerning this possible intrusion.

Sources have briefed NBC News that the hack relied on “some kind of automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet”. There is suspicion that Russian hackers planned and implemented the cyber attack via encrypted accounts on social media.

The phrase, “oh here we go again” comes to mind with these types of cyber attacks, which conjure a feeling of Déjà vu or Groundhog Day depending on your movie of choice. If governments, companies and infrastructures intend to keep information stored within networks and connected devices, then it needs to be secure. It’s absurd that it keeps happening over and over again; it’s almost deciding which foot to shoot and ending up shooting both.

Officials have stressed at this time no classified information has been compromised, hopefully this will not change. There is also the unknown factor of whether this has been orchestrated by hackers on behalf of the Russian government. I expect more information to be placed in the public domain within the coming days, or it will be forgotten by a new hack from a far-flung country. Who knows, at this stage nothing is surprising.

Thank you NBC News for providing us with this information

Image courtesy of masteringfilm

Cooler Master US Site Hacked and Defaced

As companies are bombarded everyday by malicious attacks, more and more data breaches have been popping up in the news. Cooler Master is no exception and looks to be learning a lesson about security as their US website was taken down by hackers and defaced.

Going by the tag “xMr.Goreman404_IDx”, we have no news yet about the extent of the breach and what if any data was taken. xMr.Goreman404_IDx looks to be cruising the web looking for sites with vulnerabilities to take down, with a number of other sites suffering from similar attacks. Given the Inodenisan flag in both the logo and waving in the background, it can be interpreted that xMr.Goreman404_IDx is from Indonesia. It’s also possible that the flag is just a diversion for investigators though.

At this point, it does not look like the site is being used to host any malicious payload nor spread any propaganda other than slamming Cooler Master for their poor security. For now, it would not be advisable for anyone to visit the site until Cooler Master restores control. First notification about the hack took place at around 12PM PDT and as of this time, the site is unreachable and Cooler Master have yet to make a statement.

Images courtesy of Nineshadow

Hackers Took Up Residence Inside Government PC for a Year!

I recently wrote an article which looked at the Cyber attack and subsequent theft of 4.2 million American Federal data of employees which was transferred from the Office of Personnel Management to an external source. At the time it seemed to be a well orchestrated planned attack which granted criminals access to a government network for a brief period of time, the word brief in this case is very much redundant now, as  new information has come to light.

This attack on the Personnel Management’s security-clearance computer system which is slightly different to the personal database was first breached in June, 2014 according to new information. This effectively means that hackers had access to a sensitive system for at least a year. Hackers had access to the personal database for 4 months before this intrusion was detected. The confirmation came from Stewart Baker who is a former National Security Agency general counsel. There is also strong speculation that these Hacks had originated from China, which means if true, this is one of the most sensitive pieces of information to be reached by state-sponsored hackers.  If these virtual intruders stayed any longer, officials would be asking them to pay rent.

There lays the murky layers of state organized crimes, if true, China will deny responsibility, but as we all know, China has farmed hacking and infiltration out to factory designed hackers who are still on the payroll, but the Chinese government can deny this as it was not directly them.

Perhaps it’s time for the US government to invest in protecting its citizens rather than placing them under virtual surveillance, if this information leakage continues; private citizens will find themselves virtually held in a different country.

Thank You The Washington Post for providing us with this information

Image courtesy of huffingtonpost

GTA Player Hires Cheater to Save Him From Another Cheater

Rev Drucifer loves Grand Theft Auto V Online. It’s the only game he plays, clocking up about 80 days, real time, of time on it. It is his life. But there is one obstacle tainting his adoration, something that pushed him into taking drastic measures: cheaters.

“I wanted to start a new character/account that specifically focused on killing and keeping a high [kill/death ratio],” Drucifer told Kotaku. “I’m in a car with this guy and money bags start raining down. I realise my account is filling up FAST, so I jump out of the car… money is shooting out of my character’s arse. I’m yelling on the mic for him to stop, [but] he’s not stopping then all of a sudden [he] starts killing everyone in the lobby over and over.”

The player responsible had hacked the game in order to launch a malicious money honeytrap. Not only does such a bizarre event tempt players into picking up the spawning money, it tricks some into picking up too much, something that flags them to Rockstar Game’s automated monitoring system as a cheater, resulting in a ban. The fact the money was spewing from Drucifer’s character looked incredibly suspicious; despite him not being responsible for the event, he was kicked out of the game’s lobby.

“Normally, you’ll get a warning when other players start voting to kick you, but there was no warning, I was just OUT,” Drucifer said. “When I hit X to continue, it brought me to a Bad Sport lobby and I had $102,000,000 in my account. I had maybe a couple hundred thousand previously.”

After explaining the events to a Rockstar employee over the phone, in an effort to get his “bad sport” ranking abolished, Drucifer received the following e-mail in response:

You are receiving this automatic reply because you recently submitted a ticket to Rockstar Games Support with the term “Bad Sport” found in the text. If your tickets is not related to Bad Sports or you believe you are receiving this message in error, please feel free to respond and we will address your question.

We are sorry to hear that you are having a problem related to the Bad Sport pool in Grand Theft Auto Online. The Bad Sport pool is triggered by things like quitting games early, blowing up other people’s vehicles, and being reported manually or voted out by other players from the in-game pause menu.

The Bad Sport pool is temporary and ends after a certain period of time that is displayed when entering GTA Online. Please note that the duration of the Bad Sport period may increase if further violations occur while in the Bad Sport pool, including being reported by other players.

Rockstar Games

Drucifer was alone, and quite angry. He decided to take matters into his own hands. He sought out the most ethical modder he could find and offered them money to fix the situation for him. “I shot him a message telling him the situation,” Drucifer said. “He said he’d give it a try but didn’t promise anything. Fifteen minutes later, I was out of Bad Sport.”

Aptly Mafia-esque, it seems the community really does take care of itself.

Thank you Kotaku for providing us with this information.

Data Breach: The Sure Fast Way to Become a Retail Pariah

“18.5M Californians lose data to hackers”  

Shocking weekly headlines such as this illustrate the growing problem of major data breaches at multinational enterprises and have both consumers and operators crying foul. In fact, these large data breaches have spawned a 600 percent increase in the number of California customer records violated in cyber-attacks in 2014 according to the California Data Breach Report from state Attorney General Kamala Harris. Moreover, the average cost to investigate and deal with a data breach is $5.9 million, according to the 2014 Cost of Data Breach Study published by the Ponemon Institute and funded by IBM.

The unfortunate consequence of the data breach phenomenon is it not only affects large multinational enterprises but all in-store and online retail business engaging in point of sale transactions. Ultimately, your business is vulnerable as your valuable customers are losing confidence in the security of point of sale transactions.  After all, a primary concern raised by these data breaches is risk to consumer financial health. Data security and customer trust are inseparably linked. Once data security is compromised, your customer will no longer trust your company. Gartner Group statistics tell us that 80 percent of your company’s future revenue will come from just 20 percent of your existing customers. Never underestimate the value of retention. Customer retention is the lifeblood of your business. Indeed, to retain customers you must gain and keep their trust with an ironclad point of sale system.

“FCC Slaps Telcos With $10M Fine for Data Breaches” 

This recent headline illustrates the cost of a data breach to your business is not only qualitative in nature but quantitative. The United States Federal Communication Commission (FCC) fines for violations of the Communications Act can run into the tens of millions of dollars for those operators who do not properly secure customer information such as customer names, Social Security numbers, and addresses. The bottom line is if you fail to protect your customer data, the U.S. government can find you liable and you will have to pay up.

What Can You Do To Mitigate a Data Breach?

Proper security measures to secure customer information must be in place to protect the confidentiality of the consumer information you have on file. It is imperative to honor the trust of your customers and protect them from harm caused by violations of the Communications Act.

Whether point of sale providers or hackers are to blame, as an operator, you are the bridge between your customer information and the point of sale provider. The simple fact is not if you should shore up your consumer data, but when.According to techhealthperspectives.com, you must ask your point of sale provider how secure your customer data is. Additional questions should be asked such as: Is it stored on publicly accessible Internet servers? Do they have a current risk assessment model in place to determine if your investment in data security is up to par? Can they help you improve your audit controls and conduct breach drills?

Data security is usually reactive in nature. However, it is imperative for you to be proactive and reduce the threat and ultimately prevent a data breach. The use of a reputable expert such as Shopify can shore up your customer data and assist you with rapid and continuous defense against cyber-attacks to save your business from the monetary and reputational damage of a data breach.  Reputable online point of sale providers should host a Payment Card Industry Security Standard (PCI) compliant shopping cart. Moreover, to streamline your operations, you will want to look for a complete eCommerce solution which will help you organize your products, customize your storefront, track and respond to orders, and of course accept credit card payments.

If you currently find yourself in a situation where your customer data has been breached, until Congress passes a data breach notification law, you will be required to traverse the complex maze of 47 state requirements. A guide to assist you with state laws on data breach notifications has been released by the Direct Marketing Association and is available at thedma.org.

It’s never too late to secure your customer data. Protect your business and provide your customers with confidence in the security of your point of sale transactions. After all, once data security is compromised, your customer will no longer trust your company. In summary, to retain customers you must gain and keep their trust with an ironclad point of sale system. What can you do to avoid a data breach? Assess your current point of sale provider and determine if they are Payment Card Industry Security Standard (PCI) compliant. Be bold and take a stand for your business and your customers against hackers. Ask your point of sale provider what steps you need to take to avoid becoming the latest weekly headline as a data breach retail pariah.

Up to $900 Million Stolen Online in Biggest Bank Robbery Ever

In a 21st Century bank job, thieves don’t even need to step foot on the premises, let alone have a getaway car primed: all you need is a computer and the right software. According to a report from The New York Times, tech security firm Kaspersky has been tracking a monumental bank heist that could have netted thieves up to $900 million.

A group of unknown hackers from Russia, China, and Europe targeted a series of banks over a number of years with a bespoke sophisticated software program to siphon over $300 million from accounts. The banks in question have been made aware of the theft, but have chosen not to disclose them. Kaspersky suggests that over 100 banks could have been targeted, and that the total bounty could amount to a figure beyond $900 million.

Chris Doggett, Managing Director of Kaspersky North America, said, “This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.”

Source: BGR

Need A Hacker? Hire One on This New Website

A new website has been launched called ‘Hackers List‘, that allows you to post jobs available for actual hackers. Essentially, think of the site as a sort of oDesk or People Per Hour for computer hackers.

This may seem like a joke, but people really are using this thing, posting jobs requiring sometimes highly illegal activities to be performed by hackers. For instance, according to The New York Times, there is currently a woman on the site offering $500 for someone to hack her partner’s Gmail and Facebook accounts. There’s also someone in Sweden willing to give $2000 for someone to break into his landlord’s website.

While this thing may seem like some clever publicity stunt, there are currently over 500 jobs ready and waiting for willing digital assailants. The whole process is anonymous, with no identifying information between the ’employer’ and the hacker.

The website is registered in New Zealand (a country famous for digital crimes thanks to Kim Dotcom) and claims that is perfectly legal and not at all liable for any illegal activities. Its lengthy terms and conditions state that it does not condone any illegal activity and that the site shouldn’t be used for anything illegal in the first place (yeah, right).

Obviously not all hacking is illegal – there are people out there with incredible hacking skills who do currently make a good living getting paid by companies to purposely hack things, often with the intention of uncovering any vulnerabilities. Perhaps this site could be best utilised in that way, maybe providing such purposes to smaller developers and startups.

SourceThe New York Times Via: Gizmodo

Crayola Facebook Page Hacked – Flooded With NSFW Content

When you think of Crayola, you think of youthfulness and innocence, a child scribbling with his or her favourite colour crayons perhaps. What you don’t think of is “The Worst Kind of Boobs”, “Reasons why girls don’t give blow jobs” and “Disney For Adults”.

That pretty much summarises what happened to the company’s Facebook page this past weekend after it was hacked and flooded with racy and sometimes mildly pornographic content.

The company did eventually get back in control of the page, but fortunately Adweek managed to screenshot some of the offending posts.

Source: Adweek

Xbox One Software Development Kit Leaked

A Hacker group called H4LT has obtained and leaked the Xbox One software development kit (SDK), allowing home developers to create their own homebrew software for the Microsoft console.

In a short interview with The TechGame, H4LT claim, “We leaked it to the community because if something is shared then […] progress is achieved faster than alone. […] The SDK will basically allow the community to reverse and open doors towards homebrew applications being present on the Xbox One.”

Though H4LT says “there is no definite exploit,” the group hopes that coders with Windows 8 experience will crack it soon.

Source: Yahoo! Games

Fingerprint of Politician Cloned Just From Public Photos

A member of the Chaos Computer Club has reportedly ‘cloned’ the fingerprint of a politician from Germany solely using publicly available images taken by press at a conference.

Jan Krissler created a usable copy of German defence minister Ursula von der Leyen’s fingerprints using only images and computer software. The software presumably magnified the images taken to a degree that individual details in Ms von der Leyen’s prints could be identified and easily replicated.

Krissler says that “politicians will presumably wear gloves when talking in public” following the publication of his research. Maybe they should too, because details like this could give someone access to anything from her phone to a highly secure building.

Fingerpint recognition has slowly been shown to be not as secure as originally accepted, with hackers working hard to find ways to circumvent it. There are other methods, like finger vein recognition, that are being developed to get around the issues traditional biometrics pose.

Source: BBC News

Lizard Squad Attacks Tor

Lizard Squad, the hacker group responsible for the Christmas Day attacks on Xbox Live and PlayStation Network, has turned its sights upon anonymous internet server, Tor (The Onion Network).

https://twitter.com/LizardMafia/status/548525026027507712

Lizard Squad’s latest attack seems to be designed to compromise users’ anonymity by commandeering Tor’s relay nodes. If the hackers take control of enough nodes, it will be able to eavesdrop on, track, and identify Tor users. So far, Lizard Squad has control of 3,000 relays, close to half of all nodes.

As of Friday evening, the attack continues. Tor has yet to comment on the situation.

https://twitter.com/LizardMafia/status/548523618901454848

Source: Gizmodo

Lizard Squad Supposedly Unmasked by Rivals

Pesky hacker group Lizard Squad, who have launched a number of attacks upon Xbox Live and the PlayStation Network (among many others) have apparently been unmasked by a rival group.

‘The Finest Squad’ wrote that they had taken Lizard Squad from Twitter.

This is not yet confirmed, but we’ll update you if there is any more information.

Source: newsxbox.com

eBay Looking to Place Interactive Mirrors in Changing Rooms

eBay is looking to move themselves into the brick-and-mortar retail world, expressing interest in implementing mirrors into dressing rooms that will offer the customer suggested accessories and product browsing – all available through a touch screen. These screens are being installed as a trial at the Rebecca Minkoff store, seeing them follow a similar path to online retail giant Amazon – who of which are preparing a store opening in New York. eBay is part of a movement to make our retail habits more interactive, providing users with simpler options to pick and chose clothing and accessories, helping them save time and quite possibly helping these stores to turn some extra profits.

eBay’s head of innovation and new ventures, Steve Yankovich, commented: “So physical retail, a showroom, I think will never go away”. This statement regards eBay’s positioning on store-fronts capabilities and viability moving into the future.

This whole experience will be utilized through an app installed on the user’s phone, meaning that these screens will be able to utilize the persons purchasing history and further help them to choose their garments. Clothes in these stores will be connected to RFID tags, allowing these interactive mirrors to recognize not only the customer, but the clothes that they are sampling for purchase. This system will allow shoppers to attach their purchases and test fittings to their personal profile, allowing them to track their favorite styling and brands as they see fit.

Here’s hoping they install some kind of strong security system as there’s a seemingly large possibility of hackers utilizing the cameras installed in these mirrors for personal benefit in criminal fashion.

Image courtesy of  Bloomberg Businessweek

Sony Pictures Brought to a Halt – Hackers Have Taken Over

A (now deleted) member of the Reddit community has recently brought to light that all Sony Pictures staff have been locked out of their office systems, with the warning message above being displayed on every single monitor. The original thread can be found here, with various user reports of people who have friends, or friends of friends confirming this information.

We’ve come to learn that all Sony staff have been sent home until further notice, while the Sony executives figure out what to do with this issue at hand. Sony have shut down all their computers in Los Angeles as a precaution and are working on recovering their functionality.

Here’s a quick run down on the data avaialble as shown in the above image, by Reddit user tehrabbit:

“ZIP file contains 3 files, LIST1, and LIST2 followed by a “Readme” file.
The Readme contains a list of e-mails.
the “#GOP” refers to “Guardians of Peace” apparently.

Contents of README.txt:

These two files are the lists of secret data we have acquired from SPE.
Anyone who needs the data, send an email titled ��To the Guardians of Peace�� to the following email addresses.
marc.parker-8t52ebo@yopmail.com
emma.murphy-0ohbp3m1@yopmail.com
lisa.harris-cxkjch3@yopmail.com
john.murphy-7o2h3uh3@yopmail.com
axel.turner-ffqbv9c@yopmail.com
lisa.harris-ezd6e1j@yopmail.com
mike.morris-f2iyqki@yopmail.com
abc@spambog.com
lena@spambog.com
john@spambog.com

In Addition, The two files, LIST1 and LIST2 seem to contain file names of several PDF, DOC, and Excel files related to Internal Financial Reports.

File size information:
638359749 list1.txt
397802180 list2.txt

Rather large text files, mostly just a list of what looks like the contents of a fileserver.

Some members have tested the above email address’, but receive no confirmation or immediate response when the special pass-code is sent. This is rumored to be because these hackers will be sending out all of the information in one hit as the deadline is met. What exactly will happen when the deadline is reached? We’ll have to wait and find out.

We will continue to report as the story develops here on eTeknix.

UK National Crime Agency Arrests Five in Cybercrime Sweep, While Threats Continue

As part of an international operation targeting cybercriminals using remote access tools (RATs) to hijack computers, five people were arrested in the UK. There is an international effort to promote cybersecurity for both consumers and businesses, along with trying to crack down against cybercriminals.

The National Crime Agency (NCA) arrested the five suspects on Nov. 19 and Nov. 20, with a 20-year-old, one 30-year-old, two 33-year-olds, and a 40-year-old suspect detained in the national sweep.

Here is what Andy Archibald, director of the NCA’s National Cyber Crime Unit, said (via press statement):

“This operation demonstrates once again that all of UK law enforcement is working to respond effectively to cyber crime, and together we will continue to collaboratively target those who use technology to misuse other people’s devices, steal their money, or unlawfully access confidential information. Anyone who is tempted to get involved in this type of crime should understand that it can result in prison time, and substantial restrictions on your life afterwards.”

The first layer of protection against installing RAT software, and malware, is to be careful when clicking on links and attachments in emails – or while browsing the Internet. However, cyberattacks are increasing in sophistication, as the criminals behind these operations perfect their craft, with serious money available to them when successful.

Peter Goodman, from the East Midlands Deputy Chief Constable, had this to say:

“Cybercriminals are using very sophisticated technology to breach online security systems and to conceal their digital tracks. However, the police forces in the UK and overseas have the expertise to identify and disrupt those who are determined to access computers in order to steal data or to commit serious offences, wherever they are in the world.”

(Thank you to the NCA for providing us with this information. Image courtesy of NCA Twitter)