Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Security Breach
Breaking News Point of Sale Breach Security Breach

Harbortouch discloses a breach caused by malicious software


Harbortouch, which supplies point-of-sale (POS) systems to thousands of businesses across United States, disclosed a breach in which some of its restaurant and bar customers were impacted by a malware. The malware allowed hackers to get customer card data from the affected merchants.

A card issuer recently reported to KrebsOnSecurity about the concerned authority is ignoring the dangerousness of the breach. And the ignorance of the company would affect more than 4,200 Harbortouch customers nationwide.

Before the Harbortouch had revealed, many sources involved in financial industry suspected that there was a possibility of a breach at a credit card processing company.

According to an article published on  KrebsOnSecurity, the suspicion increased whenever banks realized card fraud that they could not easily trace back to one specific merchant.

Some banks wanted to know about the unrevealed fraud as stolen cards were used to buy goods at big box stores. They made some changes in the way they processed debit card transactions.  

United Bank recently issued a notice saying that in a bid to protect its customers after learning of a spike in fraudulent transactions in grocery stores and similar stores such as WalMart and Target, it has started a block in which customers will now be required to select ‘Debit’ and enter their ‘PIN’ for transactions at these stores while using their United Bank debit card.

Harbortouch issued a statement last week, in which the company said it has identified and contained an incident that affected a small percentage of its merchants. It also confirmed the involvement of malware installation on the POS systems. The advanced malware was designed in such a way that the antivirus program running on the POS System could not detect.

The Harbortouch however, removed the malware from affected systems shortly when the problem was detected.

Mandiant, a forensic investigator, helped the company in its investigation.

The company explained in the statement that it does not directly process or store card holder data and only a small percentage of their merchants got affected for a short period of time. 

Currently, the company’s officials are working with the parties concerned to notify the card issuing banks that were impacted. After that the banks can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.

However, the sources at a top 10 card-issuing bank in the United States that shared voluminous fraud data with an author of KrebsOnSecurity on condition of anonymity, the breach extended to at least 4,200 stores that run Harbortouch’s the POS software.

Nate Hirshberg, marketing director at Harbortouch, said the statements are not true.
Read more »
Malware Report
Malware Report

Updated Dyre malware successfully avoiding sandboxing

The Dyre banking trojan, which lead to stealing of over a million from the corporate banks in April has got a new update which renders it undetectatble by anti-sandboxing techniques.

The malware checks how many processor cores the machine has and if it has only one, it terminates. Since sandboxes are configured with only one processor with one core as a way to save resources, this is an effective evasion technique -  most of the computers now come with multiple cores.

Seculert's check for Dyre's evasion of analysis with four commercially available sandboxes revealed that the malware has been successful in fooling the systems.

In addition Dyre has switched user agents to avoid detection by signature-based systems. The Upatre downloader which is working in conjunction with Dyre also has new changes to avoid signature-based detection. Upatre now uses two user agents and different download communication pathway. The communication path naming convention is obscure and not based on identifiable characteristics.

These progress in malware technologies reveal that sandboxing alone cannot be an effective way to deal with vulnerabilities. The ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time.
Read more »
Wordpress Security
Vulnerability Wordpress Security

Multiple vulnerabilities in TheCartPress WordPress plugin

Multiple vulnerabilities has been discovered in TheCartPress WordPress plugin by the High-Tech Bridge Security Research Lab.

The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.

To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in  ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.

HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database.  Which can be easily exploited by a non-authenticated attacker, they  may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.

The vulnerability can be reproduced by opening the  following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Inputs  can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type"  GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as  administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Read more »
Malware Report
Banking Trojans Malware Report

New malware in online banking causes problem in Japan


A new online banking malware, which was found in Operation Emmental, has now been causing problems in Japan.

TROJ_WERDLOD, a new detected malware, has been causing problems in the country since December 2014. More than 400 systems were affected by the new malware.

According to Hitomi Kimura, a security specialist at TrendMicro, the malware can change two settings which allow information theft at the network level.

It does not require a reboot or any memory-resident processes on the affected systems.

Kimura wrote on a blog that one of settings gets modifies in the system’s proxy settings. The attackers controls the way from Internet traffic to a proxy. And the second is the additional malicious root certificate to the system’s trusted root store. It allows malicious site certificates which are added in man-in-the-middle attacks to be used without triggering alerts or error messages.

He wrote that the TROJ_WERDLOD harms users via spam mails with an attached .RTF document. The document said to be an invoice or bill from an online shopping site. If anyone opens the .RTF file, the user gets instruction to double-click the icon in the document in order to execute the TROJ_WERDLOD in the system.
Spam mail which leads to TROJ_WERDLOD. Photo Courtesy:TrendMicro

According to him, the hackers used a fake certificate and proxy in Operation Emmental. They also used fake mobile apps in order to steal SMS messages from online banks. It seems that the same behavior may be seen in the future in Japan, although Japanese banks rarely use SMS authentication.

Kimura suggested that in order to restore an infected PC to its normal condition, the following steps should be taken:
-        1. Remove the proxy automatic setting in Windows and Firefox and if anyone has an option provided by the ISP and/or system administrator, he/she can change it back to the previous setting.
-        
           2. Remove the malicious root certificate installed by TROJ_WERDLOD which was stored in Windows and Firefox. This malicious root certificate has the following signature:
·         A134D31B 881A6C20 02308473 325950EE 928B34CD
Read more »
IT Security
Breaking News Information Security News IT Security

Google launches 'Password Alert' to protect its users from phishing attacks


Google on April 29 launched a new extension, ‘Password Alert’, which warns people whenever they type in their Google password on any site that is not a Google sign-in page.

Drew Hintz, security engineer and Justin Kosslyn, Google Ideas, posted on the Google’s Online Security Blog, that the Password Alert, which is now available on the Chrome Web Store, is aimed to prevent phishing attacks. However, it also aims to minimize the over use of Google password.

They wrote that it is designed to alert people while they use their Google password on those sites which are not operated by Google.

According to them, if anyone enters his/her password on a website that’s imitating accounts.google.com and aims to get personal details, he/she will receive a warning. It also provides people time to change their password before it gets misused.

It works by checking the HTML of the page to identify whether it’s a legitimate Google sign-in page or not.

According to Google, the password hacking is known as “phishing” which represents two percent of all Gmail messages.

The new tool is believed to be an additional attempt of security for Google’s users. The Password Alert sits among a number of tools which are aimed to safeguard user accounts. Other methods include two-step authentication and security key.
Read more »
Vulnerability
Router vulnerability Vulnerability

Vulnerability in Realtek SDK leaves D-Link and TRENDnet routers vulnerable to Hackers

D-Link and TRENDnet's routers are vulnerable to remote code execution attacks due to a flaw in a component of the Realtek, Software Development Kit (SDK).

A content developer at HP Enterprise Security discovered the flaw.

Ricky Lawshae first informed about the flaw to HP’s Zero-Day Initiative (ZDI) in August 2014. Then in October, he reported for the last time about his findings to them.

However, the Realtek did not come up with a plan to solve the problem. As a result, the routers flaw has been disclosed.

The vulnerability (CVE-2014-8361) allows a remote, unauthenticated attacker to execute arbitrary code on affected systems with root privileges. ZDI has assigned the vulnerability a CVSS score of 10.

The security hole affects the Realtek SDK used for RTL81xx chipsets.

Although, the flaw on D-Link and TRENDnet routers has been discovered, it is not clear that how many small office and home (SOHO) routers are affected.

The researcher however said that those devices using the minigd binary from the Realtek SDK are likely to be vulnerable.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” ZDI officials wrote in an advisory published on Friday.

“Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it.”

Realtek still has not commented on the findings.

D-Link has released firmware updates that addresses the security vulnerabilities in affected D-Link devices.

It is said that the flaw, which was found on those wireless routers, are not unique or rare.

Earlier, researchers reported about the several vulnerabilities related to the ncc/ncc2 service used by devices from the vendors. Both D-Link and Trendnet released firmware updates to address the issues.

Last month, a researcher complained that D-Link had failed to properly patch those vulnerabilities related to the Home Network Administration Protocol (HNAP).
Read more »
Vulnerability
Breaking News Stored XSS Vulnerability Vulnerability

WordPress patches Stored XSS bug, Many versions affected

(PC- google images)
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.

Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."

Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.

In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.

 "The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he. 

WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.

Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect.  In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.
Read more »
Malware Report
Malware Report

Fake adult site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.
Read more »
Hacking the Internet of Things
Cyber Security News Hacking the Internet of Things

Couple has important message for other parents

Recently, a couple in Washington gave out an important message to other parents, after they had discovered their baby monitor had been hacked.

A couple in Minnesota, whose baby monitor had also been hacked earlier, had also been in the the news before.

“ We don’t know if they could hear but we know that they were watching, for sure,” said a parent.

The couple had been using the monitor for keeping an eye on their three-year old, who complained that somebody had been talking to him over the monitor at night.

Upon investigation they found out that their baby monitor had been hacked and was being controlled by hackers.

“It got me worried that they’ve seen things maybe they shouldn’t see that are private, our privacy’s been hacked,” said the parent.
Read more »
Hackers Arrested
Cyber Crime Report Hackers Arrested

25-year-old student hacked University’s computers to upgrade his marks

A 25-year-old student, who hacked Birmingham University's computers to upgrade his marks, has been jailed for four years.

Imran Uddin, who was pursuing his final year in bio-science course at the University of Birmingham, increased his marks from 57 per cent to 73 per cent by stealing staffs passwords using a keyboard spying device.

According to the Birmingham Crown Court, in order to steal the staffs passwords, Uddin had attached a hardware keylogger at the back of computers.

The incident came into light on October 7 last year, when two staffs carried out a routine upgrade on a computer in the bio-science building.

The attached devices, which could record the key strokes of anyone, were found at the back of the computers when staff removed protective casing.

After that other computers of the University were checked where they found more such devices attached.

The court sent him to jail after he admitted six charges as per the Computer Misuse Act.

Judge James Burbidge QC told Uddin (The Telegraphreports), "For reasons not entirely clear to me, whether it was monetary, or pride or a desire to out-perform others, you decided to cheat and you formed a settled intention to do that. I consider your actions were planned and persistent.”
He added that this kind of conduct has the potential to undermine public confidence in the degree system, set up by this university.

“I have decided that I cannot pass a suspended sentence because there needs to be an element of deterrence," he said.

Madhu Rai, the prosecuting, said that the one of the devices was attached to a computer of Christine Chapman, a staff, who had access to the University grades.

Police found that Uddin had made ebay searches on his computer for keyboard cheating devices.

Balbir Singh, the defending, said that Uddin, who was the first person from his family to go to University, did so because of the pressure. He could not see clearly.

A spokeswoman for the Birmingham University said that they could not comment on individual cases, however, they took any criminal activity seriously and work closely with West Midlands Police.

Along with the legal sanctions, students, who convicted such crimes, face misconduct investigation and ultimately face permanent exclusion.
Read more »
Vulnerability
Vulnerability

Vulnerability in Wi-fi authentication component

A vulnerability in wpa_supplicant, used to authenticate clients on Wi-fi networks, could expose Android, BSD, Linux, and possibly Windows and Mac OS X system to attack.

The  vulnerability uses Service Set Identifier’s information to create or update P2P peer  entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of  arbitrary data from an attacker to a fixed length buffer of 32 bytes.

The device  results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.

According to Jouni Malinen, maintainer of wpa_supplicant, “The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”

This issue was reported by the Google security team and hardware research group of Alibaba security team.

The users could merge the following commits to wpa_supplicant and rebuild it,  validate SSID element length before copying it (CVE-2015-1863) from http://w1.fi/security/2015-1/.  Update to  wpa_supplicant v2.5 or newer versions, once  they are available.
Read more »
Subscribe to: Comments (Atom)