Tag Archives: another

Forever 21 Warns Shoppers of Payment Card Breach at Some Stores

data-breach-forever21

Another day, another data breach. This time a fast-fashion retailer has fallen victim to payment card breach.

American clothes retailer Forever 21 announced on Tuesday that the company had suffered a security breach that allowed unknown hackers to gain unauthorized access to data from payment cards used at a number of its retail locations.

The Los Angeles based company, which operates over 815 stores in 57 countries, didn’t say which of its stores were affected, but it did note that customers who shopped between March and October this year may be affected.

Forever 21 learned of the breach after the retailer received a report from a third-party monitoring service, suggesting there may have been “unauthorized access to data from payment cards that were used at certain FOREVER 21 stores.”

Besides this, the company also revealed that it implemented encryption and token-based authentication systems in 2015 that are intended to protect transaction data on its point-of-sale (PoS) machines in its stores.

However, due to dysfunctional of the security layers on certain PoS devices, hackers were able to gain unauthorized access to data from payment cards at some Forever 21 stores, the company admitted.

Since the investigation of its payment card systems is still ongoing, complete findings of the incident, including the number of customers potentially affected, are not available at the moment.

“Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist,” the US clothing retailer said while announcing the data breach. 

“We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter.”


Meanwhile, customers who shopped at Forever 21 are advised to monitor their payment card statements carefully, and immediately notify their banks that issued the card for any unauthorized charge.

This incident is yet another embarrassing breach disclosed recently, followed by Disqus’ disclosure of a 5-year-old breach where hackers stole details of over 17.5 million users and Yahoo’s disclosure that 2013 data breach affected all of its 3 Billion users.

The recent incidents also include Equifax’s disclosure of a breach of potentially 145.5 million customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and Deloitte’s revelation of a cyber attack that resulted in the theft of its clients’ private emails and documents.

Firefox 57 “Quantum” Released – 2x Faster Web Browser

firefox-quantum

It is time to give Firefox another chance.

The Mozilla Foundation today announced the release of its much awaited Firefox 57, aka Quantum web browser for Windows, Mac, and Linux, which claims to defeat Google’s Chrome.

It is fast. Really fast. Firefox 57 is based on an entirely revamped design and overhauled core that includes a brand new next-generation CSS engine written in Mozilla’s Rust programming language, called Stylo.

Firefox 57 “Quantum” is the first web browser to utilize the power of multicore processors and offers 2x times faster browsing experience while consuming 30 percent less memory than Google Chrome.

Besides fast performance, Firefox Quantum, which Mozilla calls “by far the biggest update since Firefox 1.0 in 2004,” also brings massive performance improvements with tab prioritization, and significant visual changes with a completely redesigned user interface (UI), called Photon.

firefox-processes-v-Chrome

This new version also adds in support for AMD VP9 hardware video decoding during playback in an attempt to reduce power consumption, and thus preventing your systems from running out of battery.

Firefox 57 also includes built-in screenshot functionality, improved tracker blocking and support for WebVR to enable websites to take full advantage of VR headsets.

Firefox has plans to speed things even further by leveraging modern GPUs in the near future.

Firefox Quantum for the desktop version is available for download now on Firefox’s official website, and all existing Firefox users should be able to upgrade to the new version automatically.

However, the Android version of Firefox 57 is rolling out on Google Play in coming days, and its iOS version should eventually arrive on Apple’s official App Store.

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

oneplus-root-backdoor

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

oneplus

If it’s there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.

EngineerMode has been designed to diagnose issues with GPS, check the root status of the device, perform a series of automated ‘production line’ tests, and many more.

After decompiling the EngineerMod APK, the Twitter user found ‘DiagEnabled’ activity, which if opened with a specific password (It is “Angela”, found after reverse engineering) allows users to gain full root access on the smartphone—without even unlocking the bootloader.

Although the chance of this application already being exploited in the wild is probably low, it seems to be a serious security concern for OnePlus users as root access can be achieved by anyone using a simple command.

root-oneplus-android-phone

Moreover, with root access in hands, an attacker can perform lots of dangerous tasks on victim’s OnePlus phone, including stealthy installing sophisticated spying malware, which is difficult to detect or remove.

Meanwhile, in order to protect themselves and their devices, OnePlus owners can simply disable root on their phones. To do so, run following command on ADB shell:

“setprop persist.sys.adb.engineermode 0” and “setprop persist.sys.adbroot 0” or call code *#8011#

In response to this issue, OnePlus co-founder Carl Pei said that the company is looking into the matter.

The Twitter user has promised to release a one-click rooting app for OnePlus devices using this exploit. We will update the article as soon as it is available.

Hacker Hijacks CoinHive’s DNS to Mine Cryptocurrency Using Thousands of Websites

Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites

When yesterday I was reporting about the sudden outbreak of another global ransomware attack ‘Bad Rabbit,’ I thought what could be worse than this?

Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors’ CPUs power to mine the Monero cryptocurrency for monetisation.

Reportedly an unknown hacker managed to hijack Coinhive’s CloudFlare account that allowed him/her to modify its DNS servers and replace Coinhive’s official JavaScript code embedded into thousands of websites with a malicious version.

https://coin-hive[.]com/lib/coinhive.min.js

Hacker Reused Leaked Password from 2014 Data Breach

Apparently, hacker reused an old password to access Coinhive’s CloudFlare account that was leaked in the Kickstarter data breach in 2014.

“Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server.” Coinhive said in a blog post today.

“This third-party server hosted a modified version of the JavaScript file with a hardcoded site key.”

As a result, thousands of sites using coinhive script were tricked for at least six hours into loading a modified code that mined Monero cryptocurrency for the hacker rather than the actual site owners.

“We have learned hard lessons about security and used 2FA [Two-factor authentication] and unique passwords for all services since, but we neglected to update our years old Cloudflare account.”

Your Web-Browsers Could Be Mining Cryptocurrencies Secretly for Strangers

Coinhive gained media attention in last weeks after world’s popular torrent download website, The Pirate Bay, caught secretly using this browser-based cryptocurrency miner on its site.

Immediately after that more than thousands of other websites also started using Coinhive as an alternative monetisation model by utilising their visitors’ CPU processing power to mine digital currencies.

Even hackers are also using Coinhive like services to make money from compromised websites by injecting a script secretly.

Well, now the company is also looking ways to reimburse its users for the lost revenue due to breach.

How to Block Websites From Hijacking Your CPU to Mine Cryptocoins

Due to concerns mentioned above, some Antivirus products, including Malwarebytes and Kaspersky, have also started blocking Coinhive script to prevent their customers from unauthorised mining and extensive CPU usage.

You can also install, No Coin Or minerBlock, small open source browser extensions (plug-ins) that block coin miners such as Coinhive.

Disqus Hacked: More than 17.5 Million Users’ Details Stolen in 2012 Breach

Disqus Hacked

Another day, Another data breach disclosure.

This time the popular commenting system has fallen victim to a massive security breach.

Disqus, the company which provides a web-based comment plugin for websites and blogs, has admitted that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users.

The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users.

What’s more? Hackers also got their hands on passwords for about one-third of the affected users, which were salted and hashed using the weak SHA-1 algorithm.

The company said the exposed user information dates back to 2007 with the most recently exposed from July 2012.

According to Disqus, the company became aware of the breach Thursday (5th October) evening after an independent security researcher Troy Hunt, who obtained a copy of the site’s information, notified the company.

Within about 24 hours, Disqus disclosed the data breach and started contacting its affected users, forcing them to reset their passwords as soon as possible.

“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared,” Disqus’ CTO Jason Yan said in a blog post.

However, since late 2012 Disqus has made other upgrades to improve its security and changed its password hashing algorithm to Bcrypt—a much stronger cryptographic algorithm which makes it difficult for hackers to obtain user’s actual password.

“Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security, Yan said. “Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.”

In addition to resetting your password, you are also advised to change your passwords on other online services and platforms as well, if you share the same credentials.

It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. So, you are advised to beware of spam and phishing emails carrying malicious file attachments.

It is still unclear how hackers get hands-on Disqus data. San Francisco-based Disqus is still actively investigating this security incident.

We will update you as soon as more details surface.

This is yet another embarrassing breach disclosed recently, after Equifax’s disclosure of a breach of potentially 145.5 million US customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and recent Yahoo’s disclosure that 2013 data breach affected all of its 3 Billion users.

Powered by WPeMatico

Amazon’s Whole Foods Market Suffers Credit Card Breach In Some Stores

Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach.

Whole Foods Market—acquired by Amazon for $13.7 billion in late August—disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores.

Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada.

The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details.

The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach.

Instead, only certain venues such as taprooms and table-service restaurants located within its stores—which use a separate POS system—were impacted.

Whole Foods Market has hired a cybersecurity firm to help it investigate the credit card breach and contacted law enforcement authorities of this incident.

“When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue,” Whole Foods said in a statement on its website.

The company is also encouraging its customers to closely monitor their credit card statements and “report any unauthorized charges to the issuing bank.”

According to Whole Foods Market, none of the affected systems being investigated are, in any way, connected to Amazon.com systems.

Whole Foods Market has become the latest of the victim of the high-profile cyber attack. Earlier this month, Global tax and auditing firm Deloitte suffered a cyber attack that resulted in the theft of private emails and documents of some of its clients.

Also last week, the U.S. Securities and Exchange Commission (SEC) also disclosed that unknown hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Last month, credit rating agency Equifax publicly disclosed a breach of its systems that exposed personal details, including names, addresses, birthdays and Social Security numbers, of potentially 143 million US customers.

Powered by WPeMatico

Google Researcher Publishes PoC Exploit for Apple iPhone Wi-Fi Chip Hack

apple-iphone-wifi-hacking

You have now another good reason to update your iPhone to newly released iOS 11—a security vulnerability in iOS 10 and earlier now has a working exploit publicly available.

Gal Beniamini, a security researcher with Google Project Zero, has discovered a security vulnerability (CVE-2017-11120) in Apple’s iPhone and other devices that use Broadcom Wi-Fi chips and is hell easy to exploit.

This flaw is similar to the one Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and BroadPwn vulnerability disclosed by an Exodus Intelligence researcher Nitay Artenstein, earlier this summer. All flaws allow a remote takeover of smartphones over local Wi-Fi networks.

The newly discovered vulnerability, which Apple fixed with its major iOS update released on September 19, could allow hackers to take control over the victim’s iPhone remotely. All they need is the iPhone’s MAC address or network-port ID.

And since obtaining the MAC address of a connected device is easy, the vulnerability is considered a serious threat to iPhone users.

Beniamini informed WiFi chip maker Broadcom and privately reported this vulnerability in Google’s Chromium bug-reporting system on August 23.

Now, following iOS 11 release, Beniamini published a proof-of-concept (PoC) exploit for the flaw to demonstrate the risks this flaw could pose on iPhone users.

Beniamini says the flaw exists on Broadcom chips running firmware version BCM4355C0, which is not only used by iPhones but also used by a large number of other devices, including Android smartphones, the Apple TV and smart TVs.

Once his exploit executes, Beniamini was able to insert a backdoor into Broadcom chip’s firmware, which allowed him to remotely read and write commands to the firmware, “thus allowing easy remote control over the Wi-Fi chip.”

Once all done, “you can interact with the backdoor to gain R/W access to the firmware by calling the “read_dword” and “write_dword” functions, respectively.”

The researchers tested his exploit only against the Wi-Fi firmware in iOS 10.2 but believe the exploit should also work on all versions of iOS up to 10.3.3.

“However, some symbols might need to be adjusted for different versions of iOS, see ‘exploit/symbols.py’ for more information,” Beniamini writes.

Since there is no way to find out if your device is running the firmware version BCM4355C0, users are advised to update iPhones to iOS 11. Apple has also patched the issue in the most recent version of tvOS.

Also, Google has addressed this issue on Nexus and Pixel devices, as well as Android devices earlier this month. However, Android users are required to wait for their handset manufacturers to push out the updates on their devices.

Powered by WPeMatico

Deloitte Hacked — Cyber Attack Exposes Clients’ Emails

deloitte-hacked

Another day, another data breach. This time one of the world’s “big four” accountancy firms has fallen victim to a sophisticated cyber attack.

Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.

Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.

The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that “very few” of its clients had been affected, the Guardian reports.

The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.

Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.

Besides emails, hackers also may have had potential access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”

In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a Deloitte spokesperson told the newspaper.

As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

Deloitte’s internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was “impacted” by the breach.

Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.

Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Powered by WPeMatico

Passwords For 540,000 Car Tracking Devices Leaked Online

Passwords For 500,000 Car Tracking Devices Leaked Online

Another day, another news about a data breach, though this is something disconcerting.

Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.

Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server.

The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period.

Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.

The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices.

Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.

The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR’s tracking services.

Interestingly, the exposed database also contained information where exactly in the car the physical tracking unit was hidden.

According to Kromtech, the total number of devices exposed “could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking.”

Since SVR’s car tracking device monitors a vehicle everywhere for the past 120 days, anyone with access to SVR users’ login credentials could both track a vehicle in real time and create a detailed log of every location the vehicle has visited using any internet connected device like a desktop, laptop, mobile phone or tablet.

Eventually, the attacker could outright steal the vehicle or even rob a home when they know a car’s owner is out.

Kromtech responsible alerted the company of the misconfigured AWS S3 cloud storage bucket, which has since been secured. However, It is unclear whether the publically accessible data was possibly accessed by hackers or not.

Powered by WPeMatico

Here’s How CIA Spies On Its Intelligence Liaison Partners Around the World

Wikileaks Exposes How CIA Spies On Its Intelligence Liaison Partners Around the World

WikiLeaks has just published another Vault 7 leak, revealing how the CIA spies on their intelligence partners around the world, including FBI, DHS and the NSA, to covertly collect data from their systems.

The CIA offers a biometric collection system—with predefined hardware, operating system, and software—to its intelligence liaison partners around the world that helps them voluntary share collected biometric data on their systems with each other.

But since no agency share all of its collected biometric data with others, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate data collections from their systems.

Dubbed ExpressLane, the newly revealed CIA project details about the spying software that the CIA agents manually installs as part of a routine upgrade to the Biometric system.

The leaked CIA documents reveal that the OTS officers, who maintain biometric collection systems installed at liaison services, visit their premises and secretly install ExpressLane Trojan while displaying an “upgrade Installation screen with a progress bar that appears to be upgrading the biometric software.”

“It will overtly appear to be just another part of this system. It’s called: MOBSLangSvc.exe and is stored in WindowsSystem32,” leaked CIA documents read. 

“Covertly it will collect the data files of interest from the liaison system and store them encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system.”

ExpressLane includes two components:

  • Create Partition — This utility allows agents to create a covert partition on the target system where the collected information (in compressed and encrypted form) will be stored.
cia hacking tool
  • Exit Ramp — This utility lets the agents steal the collected data stored in the hidden partition using a thumb drive when they revisit.
cia hacking tools

The latest version ExpressLane 3.1.1 by default removes itself after six months of the installation in an attempt to erase its footprints, though the OTA officers can change this date.

The biometric software system that CIA offers is based on a product from Cross Match, a US company specialized in biometric software for law enforcement and the intelligence community, which was also used to “identify Osama bin Laden during the assassination operation in Pakistan.”

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed CouchPotato, which revealed the CIA’s ability to spy on video streams remotely in real-time.

Since March, WikiLeaks has published 21 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:

  • Dumbo — A CIA project that disclosed the CIA’s ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
  • Imperial — A CIA project that revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OSX and different flavours of Linux OS.
  • UCL/Raytheon — An alleged CIA contractor, who analysed in-the-wild malware and hacking tools and submitted at least five reports to the spying agency for help it developed its malware.
  • Highrise — An alleged CIA project that allows the spying agency to stealthy collect and forward stolen information from compromised phones to its server via SMS messages.
  • BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the US agency to intercept and exfiltrate SSH credentials from target Windows and Linux computers.
  • OutlawCountry – An alleged CIA project that let the agency hack and remotely spy on computers running Linux OS.
  • ELSA – Alleged CIA malware that tracks the location of targeted laptops and PCs running the Microsoft Windows operating system.
  • Brutal Kangaroo – A Microsoft Windows tool suite used by the agents to target closed networks or air-gap PCs within an organisation or enterprise without requiring any direct access.
  • Cherry Blossom – A CIA framework employed by its agents to monitor the Internet activity of the target systems by exploiting bugs in Wi-Fi devices.
  • Pandemic – A CIA project that let the spying agency turn Windows file servers into covert attack machines that can silently infect other systems of interest inside the same network.
  • Athena – A spyware framework that the US secretive agency uses to take full control of the infected Windows machines remotely and works against every version of Windows operating system–from Windows XP to Windows 10.
  • AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Windows platform that’s designed to monitor and report back actions on the infected remote host system and execute malicious actions.
  • Archimedes – Man-in-the-middle attack tool allegedly developed by the US agency to target systems inside a Local Area Network (LAN).
  • Scribbles – Software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the agents to track insiders and whistleblowers.
  • Grasshopper – A framework that let the spying agency easily create its custom malware for breaking into Microsoft Windows and bypassing antiviruses.
  • Marble – Source code of a secret anti-forensic tool used by the US agency to hide the actual source of its malicious payload.
  • Dark Matter – Hacking exploits the US spying agency designed and used to target iPhones and Macs.
  • Weeping Angel – A spying tool used by the CIA agents to infiltrate smart TV’s and transform them into covert microphones.
  • Year Zero – CIA hacking exploits for popular hardware and software.

Powered by WPeMatico