The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry’s security standards for safeguarding customer data.
All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.
Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification…
Verizon’s breach report, available here (PDF), describes another advanced technique used to steal card data, called “memory scraping,” which involves dumping sensitive data that is stored in a computer’s memory before or after it can be encrypted.
“Criminals have re-engineered their processes and developed new tools–such as memory-scraping malware–to steal this valuable commodity,” the report reads. “This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible. As a result, our 2008 caseload is reflective of these trends and includes more targeted, cutting edge, complex, and clever cybercrime attacks than seen in previous years.”
Archive
Tag: HackerOne disturbing trend has been noted before: Organized criminal groups around the world are finding profit in phishing scams and “botnets” that surreptitiously take over PCs and steal credit card numbers or other personal information that can be used in various fraudulent schemes.
“We’ve seen the attackers evolve significantly, from amateurs and teenagers to dedicated groups that are much better directed and funded,” said Vincent Weafer, a Symantec vice president.
Those groups are adapting and exploiting new vulnerabilities as fast as the experts fix old ones, he added. While the security of operating systems and browsers is improving, Weafer said, hackers are turning their attention to weaknesses in applications or plug-ins, which are smaller programs that help deliver specific information or content on a Web site.
Hackers can exploit flaws in those programs to deliver malicious code or divert visitors to another server that is under the hackers’ control, he said.
“In the case of a popular, trusted site with high traffic, this can yield thousands of compromises from a single attack,” said the Symantec report. While the report did not cite any example of a major commercial site being compromised, it said Web sites operated by the United Nations and the British government were used last year to deliver malicious material to visitors without their knowledge.
SANTA ANA, California (Reuters) – A computer hacker testified on Wednesday that a News Corp unit hired him to develop pirating software, but denied using it to penetrate the security system of a rival satellite television service.
Christopher Tarnovsky — who said his first payment was $20,000 in cash hidden in electronic devices mailed from Canada — testified in a corporate-spying lawsuit brought against News Corp’s NDS Group by DISH Network Corp.
The trial could result in hundreds of millions of dollars in damage awards.
NDS, which provides security technology to a global satellite network that includes satellite TV service DirecTV, denies the claims, saying it was only engaged in reverse engineering — looking at a technology product to determine how it works, a standard in the electronics industry.
After an introduction by plaintiff’s attorney Chad Hagan as one of the “two best hackers in the world,” Tarnovsky told the court that he was paid on a regular basis by Harper Collins, a publishing arm of News Corp, for 10 years.
Tarnovsky said one of his first projects was to develop a pirating program to make DirectTV more secure.
But lawyers for DISH Network claim Tarnovsky’s mission was to hack into DISH’s satellite network, steal the security code, then flood the market with pirated smart cards costing DISH $900 million in lost revenue and system-repair costs.
Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation. Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide.”I was on the phone when it happened, and I couldn’t move and couldn’t speak,” RyAnne Fultz, who has epilepsy, told Wired News about her reaction to viewing one of the images on March 23.
Fultz’s 11-year-old son walked over and closed the browser window after about 10 seconds. Fortunately, she suffered nothing more than a bad headache.
By then, the second day of vandalism on EpilepsyFoundation.org, the jerks had moved on to hijacking the browsers of anyone who clicked on certain forum posts, filling the screens with bright, flashing colors.
Technically, none of this was hacking, since it didn’t involve breaking into anyone’s Web site, and any snotty kid with a rudimentary knowledge of JavaScript could do it.
The Epilepsy Foundation shut off the discussion board on Sunday for about 12 hours, and the attacks stopped.
“This was clearly an act of vandalism with the intent to harm people,” said Eric R. Hargis, the foundation’s president and CEO in a statement released Monday.
However, it doesn’t seem to have been the first instance. A Texas-based discussion Web site called Coping With Epilepsy said it suffered a similar attack last November.
The malware, called Trojan.Mebroot by Symantec, installs itself on the first part of the computer’s hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it.
Criminals have been installing Trojan.Mebroot, known as a master boot record rootkit, since mid-December, and were able to infect nearly 5,000 users in two separate attacks, staged on Dec. 12 and Dec. 19, according to Verisign’s iDefense Intelligence Team. In order to install the software on a victim’s computer, attackers first lure them to a compromised Web site, which then launches a variety of attacks against the victim’s computer in hopes of finding a way to run the rootkit code on the PC.
Once installed, the malware gives attackers control over the victim’s machine…
“It’s not some new attack vector that’s going to be hard to prevent,” he said. “It’s just something that people haven’t really paid attention to.”
WASHINGTON (CNN) — Hackers compromised dozens of Department of Homeland Security computers, moving sensitive information to Chinese-language Web sites, congressional investigators said Monday.
Investigators pointed a finger at a government contractor, saying the firm hired to protect DHS computers tried to hide the incidents from the department.
The FBI is investigating the incidents, a congressional staffer said, and two members of Congress have asked the department’s inspector general to also launch an investigation.
“The results of our [committee] investigation suggest that the department is the victim not only of cyber attacks initiated by foreign entities, but of incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks,” Democratic Reps. Bennie Thompson of Mississippi and James Langevin of Rhode Island said in a written statement.
The lawmakers said committee investigators found dozens of DHS computers were compromised and the incidents “were not noticed until months after the initial attacks.”
The extent of the damage is unclear, but a House Homeland Security Committee staff member said the hackers “took significant amounts of information.”
“We know where it [the information] was taken from, but we don’t know what was taken. We only know how many megabytes was taken,” the staff member said. “Everything was on the LAN A, which was an unclassified network. To the best of our knowledge there was no classified information [taken].”
We have seen quite a few stories lately of governments reportedly hacking into other governments but, surprisingly, these stories get little media attention. No blood, no violence, no sex… no interest. Disappointing. This is a new battleground and our government better defend it vigorously. If not, it’s the media’s responsibility to bring it to light for correction. For now, we’ll reserve judgement on whether or not our media or government is “doing their job” but I hope someone’s not asleep at the switch when it’s important to act.
WASHINGTON (AFP) — Several nations and groups are trying to break into the US military’s computer system, the Pentagon said Tuesday after reports China’s military had successfully hacked into the network.
The Chinese military’s cyber-attack was carried out in June following months of efforts, the London-based Financial Times reported Tuesday, citing unnamed current and former US officials.
Officials had told the paper the attack was by China’s People’s Liberation Army (PLA) and that it led to the shutdown of a computer system serving the office of Defense Secretary Robert Gates.
Patrick Ryder, a US Defense Department spokesman, declined to comment on the reported Chinese attack but said the Pentagon “aggressively monitors its networks for intrusions and has appropriate procedures to address” them.
“We know that a number of nations and groups are actively developing these capabilities,” he told AFP.
“We have seen attempts by a variety of state and non-state sponsored organizations to gain unauthorized access to, or otherwise degrade, DoD (Department of Defense) information systems,” he said without identifying them.
The FBI today is urging local wireless network owners to secure their networks in light of a new hacking vulnerability. Network owners who use Wireless Encryption Protocol, or WEP, could have their systems compromised within a minute, starting on Saturday, the FBI’s Birmingham office said at an afternoon press conference.
A new hacking vulnerability is being demonstrated on Saturday by two European researchers, said Dale Miskell, supervisory special agent for the Cyber Crimes Squad. Local networks in particular are in danger from this vulnerability because many are not secure or are running WEP. Miskell said there are almost 500 wireless networks in the area from downtown Birmingham to Interstate 459 and only 5 percent are currently considered secure from this vunerability.
Owners who use Wireless Encryption Protocol, or WEP are being encouraged to change to a more secure protocol, such as WPA2, TKIP or AES. The techniques for changing to a more secure protocol should be easily accessible on the Web site of a user’s wireless router manufacturer, the FBI said.
“These are easy steps people can do to protect themselves,” Miskell said.
Computerworld is reporting that a researcher at Juniper has discovered an interesting vulnerability that can be used to compromise ARM and Xscale based electronic devices such as many popular routers and mobile phones. According to the article, the vulnerability would allow hackers to execute code and compromise personal information or re-direct internet traffic at the router level. Juniper plans to demonstrate not only the researcher’s discovery, but also how he managed to use a common JTAG developed Boundary Scan to discover the vulnerability at this month’s CanSecWest conference in hopes of shifting more of the black hat community to looking at devices instead of software.