HSBC Turkey has confessed to a security breach exposing the details of 2.7m credit card accounts but the bank has made a decision not to reissue cards after deciding that the data exposed is not enough to make fraudulent transactions.…
“Just email it to me, I work out of my inbox anyway.”
That was the answer to my question of how to share a collaborative document with a client. A nod, perhaps, to the continued importance of email. Timely, too, since last week Sophos tipped us off to the ruling of New York District Judge Gabriel Gorenstein that a Gmail account is equivalent to a hard drive when a warrant is concerned.
That means seizing your entire email account instead of specific messages when a warrant (technically a warrant/subpoena) is issued.
Big deal or non-issue?
To read this article in full or to leave a comment, please click here
EFF is releasing an experimental hacker alpha release of wireless router software specifically designed to support secure, shareable Open Wireless networks. We will be officially launching the Open Wireless Router today at the HOPE X (Hackers on Planet Earth) conference in New York City, aiming to bring aboard members of the hacker community. This release is a work in progress and is intended only for developers and people willing to deal with the bleeding edge.
The software aims to do several things that existing routers don't do well—or don't do at all. We are beginning a journey that we hope will attract supporters and fellow travelers to help reach the following goals:1
We are offering this hacker alpha release to engage enthusiastic technical users who would like to help us test, develop, improve, and harden the Open Wireless Router. Currently the software runs on one specific model of hardware (the Netgear WNDR3800) and is based on the CeroWRT project. If you have a WNDR3800 router, you can get the developer preview image here and learn how to flash it here. If you'd like to hack on the code base, you can find code and instructions on building it at Github.
This Open Wireless Router prototype is made possible by the generous contribution of project resources and developers from ThoughtWorks, which came about through their exemplary social impact program. We are also very grateful for assistance from Dave Täht of CeroWRT and the Wi-Fi router hackers at Independent Security Evaluators (ISE).
Google's launch of a bug-hunting initiative has raised concerns over how the company will handle conflicts with vendors unable to patch software before Google's deadline for reporting vulnerabilities.
Tussles with software developers are sure to occur during Google's effort, announced Tuesday, to find zero-day vulnerabilities before they can be exploited by cybercriminals.
[Google sets up cybercrime-busting task force]
To read this article in full or to leave a comment, please click here
Popular password manager LastPass said it fixed two vulnerabilities that were found last year. The disclosure comes just ahead of a security conference where a research paper describing the problems is due to be presented.
Zhiwei Li, a research scientist at Shape Security, reported the flaws to LastPass in August 2013, which were "addressed immediately," LastPass wrote on its blog.
Both flaws involved "bookmarklets," which assist in filling out stored password information when LastPass's plugin can't be used, such as when using a mobile browser.
[The biggest data breaches of 2014 (so far)]
To read this article in full or to leave a comment, please click here
Update: Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack. Later, a cofounder of Olark said that service had been patched, too.
A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.
The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.
Read 11 remaining paragraphs | Comments
There is yet another reason to be wary of spam email about bank transfers or invoices -- it could be carrying a new, cleverly designed malware program that steals financial information.
Most Trojan programs steal financial information from users by injecting rogue forms into Web browsing sessions, but a newly discovered malware program takes a different approach and leverages browser network APIs to sniff outgoing traffic.
[New banking malware spotted with phishing attack]
The new threat has been named Emotet by security researchers from antivirus vendor Trend Micro, who recently analyzed variants targeting the customers of several German banks. The malware is distributed via malicious links in spam email messages that masquerade as bank transfer notifications or invoices.
To read this article in full or to leave a comment, please click here
Security researchers said they've spotted a new type of banking malware that rivals the capabilities of the infamous Zeus malware.
The malware, which is being called "Dyreza" or "Dyre," uses a man-in-the-middle attack that lets the hackers intercept unencrypted web traffic while users mistakenly think they have a secure connection with their online banking site.
Although Dyreza has similarities with Zeus, "we believe this is a new banker trojan family and not yet another offspring from the Zeus source code," according to a writeup by CSIS, a Danish security company.
Dyreza uses a technique called "browser hooking" to view unencrypted web traffic, which involves compromising a computer, capturing unencrypted traffic and then stepping in when a user tries to make a secure SSL (Secure Sockets Layer) connection with a website.
To read this article in full or to leave a comment, please click here
Heftiest HIPAA Penalty Yet from Federal RegulatorsOn Wednesday, the Ponemon Institute released the results of a new study conducted for DB Networks. In it, 65 percent of the respondents said that they've experienced one or more SQL Injection attacks in the last 12 months. In addition, each incident took an average of 140 days to discover, and 68 days to fix the issue.
"It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues," commented Dr. Larry Ponemon.
But there's a problem.
When it comes to preventing SQL Injection, those who took part in the study said that protective measures are lacking, and 52 percent of the respondents said they don't take any precautions, such as code audits and validation checks.
To read this article in full or to leave a comment, please click here
A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.
Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component.
"Malware with a valid digital signature is an extremely dangerous situation," the company said in a blog post.
Zeus is typically distributed through a compromised Web page or through a phishing attack in which cybercriminals send email that appear to come from a major bank.
To read this article in full or to leave a comment, please click here
Researchers have released technical details and attack code for 30 security issues affecting Oracle's Java Cloud Service. Some of the issues make it possible for attackers to read or modify users' sensitive data or to execute malicious code, the researchers warned.
Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.
"The company openly admits it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future," Adam Gowdiak, CEO of Security Explorations said. The security research firm is the same one that has discovered a host of extremely severe vulnerabilities in Oracle's Java software framework, some of which have been exploited in the wild to surreptitiously install malware on end-user computers.
Read 1 remaining paragraphs | Comments
In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.
Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID theft service Superget.info.
Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.
But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans.
HIEU KNOWS YOUR SECRETS?
As I reported last year, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa.
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.
Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.
Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service. According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.
The government alleges that the service’s customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb. 2013, Ngo’s customers made approximately 3.1 million queries on Americans.
“At this point the government does not know how many U.S. citizens’ [personally identifiable information] was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul J. Barbadoro in New Hampshire District Court earlier this month. ”And we don’t know because the way the process worked was a bad actor could type in the name of an individual and a state…”
Huftalen’s explanation was interrupted by Judge Barbadoro, who told the courtroom he was late for another engagement. However, based on my own experience with Ngo’s service, I believe Mr. Huftalen was trying to explain that because of the way that Ngo set up his identity theft service — variously named “Superget.info” and “findget.me” — each customer query in fact returned multiple records.
The “sourceid” abbreviations in Ngo’s Superget.info identity theft service pointed toward Court Ventures.
When I first became aware of Superget.info, I conducted a search on my own information, asking Ngo’s service to return any information on a Brian Krebs in Virginia. That query produced several pages of results, with each page containing at least ten different records full of personal data on multiple individuals — including my correct records. Revealing the more sensitive data for each record — including the date of birth and Social Security number — merely required clicking a link within each listing on the page; each click would result in a small amount being deducted from the customer’s balance.
The point is that each query on Ngo’s service almost always exposed multiple records. That means that if Ngo’s clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo’s service is likely to have been many times that number — potentially as many as 30 million records.
EXPERIAN: ‘WE’RE GOING TO MAKE SURE THEY’RE PROTECTED’
Beyond acknowledging the broad outlines of the government’s claims against Ngo, Experian has refused to discuss the matter. “Due to an ongoing federal investigation, we have been asked not to comment beyond the information we have already shared to ensure nothing impedes the progress of the investigation,” Experian spokeswoman Susan Henson said in an emailed statement.
Experian’s Tony Hadley, addressing the Senate Commerce Committee in Dec. 2013.
The few public statements that Experian has made regarding the incident came in a hearing last December before the Senate Committee on Commerce, Science, & Transportation, which was examining the data broker industry.
In that hearing, Missouri Senator Claire McCaskill grilled Tony Hadley, Experian’s senior vice president of government affairs. Every other senator on the committee focused on Experian’s practice of profiling consumers, but McCaskill used her time to question Hadley specifically about the company’s role in Ngo’s ID theft service.
Hadley acknowledged that Experian failed to conduct the due diligence needed to detect Ngo’s activities prior to or anytime after acquiring Court Ventures. Indeed, Hadley said that Experian didn’t learn about Ngo’s activities until after being notified by the U.S. Secret Service.
“During the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident,” Hadley told McCaskill and other panel members. “We were a victim, and scammed by this person.”
The Missouri Democratic senator shot back: “Well I would say people who had all their identities stolen are the real victims.”
“And we know who they are, and we’re going to make sure they’re protected,” Hadley assured the panel. But incredibly, in the very next breath Hadley seemed to suggest that nobody had proven or alleged that any of the records its company sold to Ngo had resulted in harm to consumers.
“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley said.
I asked Experian to explain the apparent inconsistencies in Mr. Hadley’s statement, and to clarify whether the company had already begun to offer protection or service to anyone impacted by this scheme. So far, the company has declined to respond to those questions, citing the ongoing investigation.
But the evidence offered by the U.S. government strongly suggests that many people were injured by Experian’s lack of due diligence. Addressing the court at Ngo’s guilty plea hearing last week, U.S. Attorney Arnold H. Huftalen said the evidence was clear that Ngo’s customers purchased data from Experian’s firm with the intention of stealing the identities of consumers.
“The U.S. Secret Service has conducted investigations into many of his customers, all of whom have stated that they only obtained the information from Mr. Ngo to engage in criminal fraud,” Huftalen said. “The evidence would establish that at the time Mr. Ngo knew that he was providing the information for others to engage in fraud.”
It remains unclear whether Experian will ever be required to answer for its costly oversight. Mr. Ngo, on the other hand, is facing a lengthy prison sentence. He is charged with wire fraud, access device fraud and identity fraud. The maximum possible prison term for all three offenses combined is 45 years. Ngo may also be fined up to twice the gross gain resulting from his offenses, or twice the loss to consumers, whichever is greater. Ngo is slated to be sentenced on June 16th.
A full copy of the transcript from Ngo’s guilty plea proceeding is available here (PDF).
Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.
The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.
So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.
Read 7 remaining paragraphs | Comments
An Illinois-based bank is urging customers to stop using credit and debit cards to pay for cab rides in Chicago until more details can be learned about a possible breach suspected of compromising the payment processor that local taxi companies use.
The warning, made Friday by First American Bank, comes amid the high-profile hack on the corporate network of Target that led to the compromise of credit card data for 40 million customers. Since then, several other large retailers have reported similar breaches or come under suspicion of being hacked. The reports are creating an environment of mistrust among payment card issuers, retailers, and consumers. In Friday's advisory First American Bank officials put it this way:
As you’re hearing more and more in the news about the theft of debit and credit card data, we at First American Bank wanted to let you know that we are doing everything we can to ensure our customers are protected and will go to great lengths to do so.
We are advising you not to use your First American Bank debit cards (or any other cards) in local taxis. We have become aware of a data breach that occurs when a card is used in Chicago taxis, including American United, Checker, Yellow, and Blue Diamond and others that utilize Taxi Affiliation Services and Dispatch Taxi to process card transactions.
We have reported the breach to MasterCard® and have kept them apprised of details as they’ve developed. We have also made repeated attempts to deal directly with Bank of America Merchant Services and Bank of America, the payment processors for the taxis, to discontinue payment processing for the companies suffering this compromise until its source is discovered and remediated. These companies have not shared information about their actions and appear to not have stopped the breach.
Since identifying the scheme, we have continuously monitored activity on our customers’ cards. Until the situation is rectified, we will continue to close and reissue cards that have been exposed. This interruption of card services has inconvenienced our customers while they wait for a new card. This can be particularly problematic for customers who are traveling. We believe strongly that the sanctity of our customer’s ability to access their funds without such risk of interruption is a bedrock principle in customer service, and we do so only in cases of extreme risk.
We have submitted a complaint to the City of Chicago Department of Business Affairs and Consumer Protection to get its help to stop the fraud, and have shared the information we have with the appropriate authorities. We ask that you not use your card in taxis until we can advise you that this criminal activity has been stopped.
As always, please monitor your account for any suspicious activity and report it right away to (847) 952-3700. Make sure we have your most current e-mail and phone numbers on file so that we can contact you immediately in the event of another breach. Thank you for choosing First American Bank. We appreciate your business.
According to an article published Monday by KrebsOnSecurity, bank officials issued the statement 18 days after learning of a pattern of fraud on cards previously used in Chicago taxis.
Read 2 remaining paragraphs | Comments
To provide a better and safer experience on the Web, we have been working to move Firefox away from plugins.
After much testing and iteration, we determined that Firefox would no longer activate most plugins by default and instead opted to let people choose when to enable plugins on sites they visit. We call this feature in Firefox click-to-play plugins.
We strongly encourage site authors to phase out their use of plugins. The power of the Web itself, especially with new technologies like emscripten and asm.js, makes plugins much less essential than they once were. Plus, plugins present real costs to Firefox users. Though people may not always realize it, we know plugins are a significant source of poor performance, crashes and security vulnerabilities.
Developers will increasingly find what they need in the Web platform, but we also recognize that it will take some time for them to migrate to better options. Also, we know there are plugins that our users rely on for essential tasks and we want to provide plugin authors and developers with a short-term exemption from our default click-to-play approach. Today, we’re announcing the creation of a temporary plugin whitelist.
Any plugin author can submit an application to be considered for inclusion on the whitelist by following the steps outlined in our plugin whitelist policy. Most importantly, we are asking for authors to demonstrate a credible plan for moving away from NPAPI-based plugins and towards standards-based Web solutions.
Today marks the beginning of an application window that will run until March 31, 2014. Any plugin author’s application received before the deadline will be reviewed and processed before click-to-play is activated by default in Firefox. Whitelisted status will be granted for four consecutive Firefox releases and authors may reapply for continued exemption as the end of the grace period draws near.
Our vision is clear: a powerful and open Web that runs everywhere without the need for special purpose plugins. The steps outlined here, will move us towards that vision, while still balancing today’s realities.
- Chad Weiner, Director of Product Management
Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices.
Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.
Earlier today, the underground card shop Rescator[dot]so moved at least 2.8 million cards stolen from U.S.-based shoppers during the Target breach. This chunk of cards, dubbed “Beaver Cage” by Rescator, was the latest of dozens of batches of cards stolen from Target that have gone on sale at the shop since early December.
The Beaver Cage batch of cards have fallen in price by as much as 70 percent compared to those in “Tortuga,” a huge chunk of several million cards stolen from Target that sold for between $26.60 and $44.80 apiece in the days leading up to Dec. 19 — the day that Target acknowledged a breach. Today, those same cards are now retailing for prices ranging from $8 to $28. The oldest batches of cards stolen in the Target breach –i.e., the first batches of stolen cards sold –are at the top of legend in the graphic above; the “newer,” albeit less fresh, batches are at the bottom.
The core reason for the price drop appears to be the falling “valid rate” associated with each batch. Cards in the Tortuga base were advertised as “100 percent valid,” meaning that customers who bought ten cards from the store could expect all 10 to work when they went to use them at retailers to purchase high-priced electronics, gift cards and other items that can be quickly resold for cash.
This latest batch of Beaver Cage cards, however, carries only a 60 percent valid rate, meaning that on average customers can expect at least 4 out of every 10 cards they buy to come back declined or canceled by the issuing bank.
The most previous batch of Beaver Cage cards — pushed out by Rescator on Feb. 6 — included nearly 4 million cards stolen from Target and carried a 65 percent valid rate. Prior to Beaver Cage, the Target cards were code-named “Eagle Claw.” On Jan. 29, Rescator debuted 4 million cards bearing the Eagle Claw name and a 70 percent valid rate. The first two batches of Eagle Claw-branded cards — a chunk of 2 million cards — were released on Jan. 21 with a reported 83 percent valid rate.
![Rescator[dot]so card shop announcing the availability of new bases of Target cards.](http://krebsonsecurity.com/wp-content/uploads/2014/02/rescatorvalid.png)
Rescator[dot]so card shop announcing the availability of new bases of Target cards.
The same pattern can be observed in another major breach from 2013. Relying on much the same method I used to validate the Target breach, I approached several financial institutions to determine if other batches of cards sold by Rescator’s various shops could be traced to specific breaches in 2013.
Sure enough, it didn’t take long to identify the midsummer 2013 breach at Harbor Freight Tools as the source of at least two major batches (they are called “bases” in the card shops, not batches) of cards sold by Rescator’s shops last year. Beginning in late June 2013, Rescator began selling a base called “Lepid,” moving new batches of Lepid cards onto the market almost every week in chunks of 100,000 cards at at time.
Just as with the Target breach, the Lepid cards initially were advertised as 100 percent valid, and came with a hefty price tag. But by mid-July 2013, the valid rates had begun to dip down to 95 percent, most likely because by that time banks had begun seeing the fraud and canceling cards. A month later, the valid rates were below 75 percent, and by the time the Target breach was disclosed in December, fewer than half of the cards were still active.
Prices on cards stolen in the Harbor Freight Tools breach fall as more cards come back declined.
In late July, Harbor Freight disclosed a breach of its payment card system that lasted for seven weeks between May 6 and June 30, 2013. The company has not said how many customer cards were stolen, but from the volume of Lepid cards pushed onto Rescator’s shop as well as those from other bases tied to cards all used at Harbor Freight during the breach time frame (including bases “Laurentius” and “Sidonius”), it’s likely to have been several million.
The data from both Target and Harbor Freight Tools raise several questions. For starters, why did the valid rate decline so much faster with the Target cards than with those stolen from Harbor Freight? After all, it took nearly six months for the valid rates on cards stolen from Harbor Freight to reach 50 percent, while we’re already fast approaching that rate with the Target cards just two months after that breach was disclosed. I’m guessing the obvious answer is most likely the correct one: That the Target breach simply received a great deal more attention, both from the media and from card-issuing banks nationwide.
Does this mean the Target and Harbor Freight breaches are connected? I have no idea, although I strongly suspect that Rescator and his merry band of thieves played a key role in both breaches — beyond merely offloading stolen cards. In several instances, Rescator himself referred to Lepid as “our” base, indicating the batch was from a firsthand source.
The analysis of some of the malware used in the Target breach suggests that Rescator may have been directly involved in that attack. I don’t have any such clues from the Harbor Freight breach; the company has not responded to requests for comment, and Mandiant — the forensics firm which was called in to investigate the Harbor Freight breach — declined to comment.
Finally, a number of folks with whom I’ve shared this research wondered why any cards that were suspected as stolen in the breach at Target would not already have been canceled by issuing banks. It’s not clear how accurate Rescator’s valid rates are — certainly Rescator has a vested interest in fudging the numbers.
But assuming the percentages are relatively accurate, many factors could explain why some banks haven’t simply canceled and reissued all cards potentially impacted in the breach. One source I spoke with earlier this year from a fairly larger card issuer said his institution still had not reissued at least 40 percent of their cards affected by the Target breach. The source said those cards generally fell into two categories: Cards that had only recently been reissued prior to the Target breach discovery, and those that were expected to naturally reach their expiration dates in the next month or so.
I should note that the above analysis ignores several million non-US cards stolen from Target shoppers and sold under the international “Barbarossa” label (the outlier in orange from the first graphic above), which at one time fetched prices in excess of $120 per card.
Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."
Read 16 remaining paragraphs | Comments
An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend—a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used to access the drive from various locations on his local network.
"This is an automated message being sent out to everyone effected [sic]," the message, uploaded to his device without any login credentials, read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt."
It's likely that Jerry wasn't the only person to find the alarming message had been uploaded to a hard drive presumed to be off-limits to outsiders. Two weeks ago, a group posted almost 13,000 IP addresses its members said hosted similarly vulnerable Asus routers. They also published a torrent link containing more than 10,000 complete or partial lists of files stored on the Asus-connected hard drives.
Read 8 remaining paragraphs | Comments
Update: Seven hours after this article was published, Belkin representatives issued a statement saying most of the vulnerabilities IOActive reported had been patched in January, in version 3949 of of the WeMo firmware. The statement also said Belkin employees had been in contact with researchers about the vulnerabilities prior to Tuesday's report.
IOActive researcher Mike Davis said the extent of his communication with Belkin was a single phone call with an employee. Davis said he was never informed of any patches being issued for the WeMo firmware. The US-CERT advisory similarly stated there were no known fixes for the vulnerabilities. Below is the story as originally reported, followed by Belkin's statement, Davis's reply, and a representative's response to questions.
Security researchers have taken the unusual step of recommending that people stop using Belkin's WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.
Read 12 remaining paragraphs | Comments
Google is so happy with its bug bounty program that it has increased the rewards given for flaw-finding and has added all of its home-grown apps and extensions for Chrome to the prize pot.…
