The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.
Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.
The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.
Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.
The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.
This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.
The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.
An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.
Microsoft is very close to releasing Advanced Threat Analytics (ATA) the security sure-up that it first announced three months ago.
ATA, or MATA as we called it for our own small amusement, is the result of three months’ real world testing, and the culmination of enough user feedback to inform a final release.
That final release will happen in August, which should give you plenty of time to get your head around it.
Hmmm. Microsoft’s Advanced Threat Analytics seems like a very good idea focused on the enterprise.
— Kevin Jones (@vcsjones) May 4, 2015
Idan Plotnik, who leads the ATA team at Microsoft, explained in an Active Directory Team Blog post that the firm is working towards removing blind spots from security analytics, and that this release should provide a strong and hardy tool for the whacking away of hacking.
“Many security monitoring and management solutions fail to show you the real picture and provide false alarms. We’ve taken a different approach with Microsoft ATA,” he said.
“Our secret sauce is our combination of network Deep Packet Inspection, information about the entities from Active Directory, and analysis of specific events.
“With this unique approach, we give you the ability to detect advanced attacks and stolen credentials, and view all suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline.”
The Microsoft approach is an on-premise device that detects and analyses threats as they happen and on a retrospective basis. Plotnik said that it combines machine learning and knowledge about existing techniques and tactics to proactively protect systems.
“ATA detects many kinds of abnormal user behaviour many of which are strong indicators of attacks. We do this by using behavioural analytics powered by advanced machine learning to uncover questionable activities and abnormal behaviour,” he added.
“This gives the ability for ATA to show you attack indicators like anomalous log-ins, abnormal working hours, password sharing, lateral movement and unknown threats.”
A number of features will be added to the preview release, including performance improvements and the ability to deal with more traffic, before general availability next month.
Costco Wholesale Corp , Sam’s Club and several other large retailers have disabled their online photo printing stores in recent days, over concerns about a possible data breach at PNI Digital Media, which manages and/or hosts photo services sites.
Last week CVS Health Corp disabled its CVSphoto.com site, and the week before Walmart Canada’s walmartphotocentre.ca took a similar action after it was informed that customer credit card data had been potentially compromised.
Other photo printing sites that might have been recently affected included Rite Aid Corp and British supermarket chain Tesco’s.
“We take the protection of information very seriously. PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” said Kirk Saville, vice president, global communications at Staples Inc, which bought Vancouver-based PNI last year.
Some websites said they had been advised by PNI of a potential breach, while others said they acted because of recent reports.
Costco Canada and Rite Aid noted that PNI has limited access to customer information since it does not process credit cards, but the photo service sites were temporarily taken down as a precaution.
CVS and Walmart Canada asked customers to monitor their credit card transactions closely for unauthorized charges.
Tesco’s page simply said it was it was unavailable for routine maintenance.
The retailers’ main websites and other services were not affected by the potential breach.
Security gurus at Malwarebytes have been working on anti-malware software for Macs to ensure that Apple computers are protected from the latest online threats.
In what is perhaps more evidence that Macs should no longer be viewed as immune from malware, the release of Anti-Malware for Mac represents Malwarebyte’s first product dedicated to what the firm calls “underserved Mac user communities”.
The new product is designed to detect and remove malware, adware and potentially unwanted programs, capabilities that Malwarebytes said have been repeatedly requested by customers.
The release also sees Malwarebytes acquiring AdwareMedic by The Safe Mac, which will see AdwareMedic creator and owner Thomas Reed joining the company as director of Mac offerings. The security firm said that this will lead to a growing team of Mac developers and researchers.
“We’ve had repeated requests from our customers and community for malware protection on the Mac, and are now proud to unveil the first version of Malwarebytes Anti-Malware for Mac,” said Chad Bacher, VP of products for Malwarebytes.
“Our vision is to provide protection across all devices, regardless of type or operating system.”
Macs have traditionally been seen as immune from viruses, but Malwarebytes seems to think it’s pretty important that they are protected.
The firm said that there has been a proliferation of new adware in the past two years, including Genieo, Conduit and VSearch, that inject ads and pop-up hyperlinks in web pages, change the user’s homepage and search engine, and insert unwanted toolbars into the browser.
Other features of the Malwarebytes software include the removal of malware, including Trojans, quick virus scanning and simple program management.
Malwarebytes Anti-Malware for Mac 1.0 is available as a free consumer download from today. Small business and enterprise versions will be unveiled later this year, the firm said.
Company executives are worried about security breaches, but recent surveys suggest they are not convinced about the value or effectiveness of cyber insurance.
The report from the University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market outlines a scenario of an electricity blackout that leaves 93 million people in New York City and Washington DC without power.
The scenario, developed by Cambridge, is technologically possible and is assessed to be within the once-in-200-year probability for which insurers should be prepared, the report said.
The hypothetical attack causes a rise in mortality rates as health and safety systems fail, a drop in trade as ports shut down and disruption to transport and infrastructure.
“The total impact to the U.S. economy is estimated at $243 billion, rising to more than $1 trillion in the most extreme version of the scenario,” the report said. The losses come from damage to infrastructure and business supply chains, and are estimated over a five-year time period.
The extreme scenario is built on the greatest loss of power, with 100 generators taken offline, and would lead to insurance industry losses of more than $70 billion, the report added.
There have been 15 suspected cyber attacks on the U.S. electricity grid since 2000, the report said, citing U.S. energy department data.
The U.S. Industrial Control System Cyber Emergency Response Team said that 32 percent of its responses last year to cyber security threats to critical infrastructure occurred in the energy sector.
“The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than
defenders could remedy them,” Tom Bolt, director of performance management at Lloyd’s, said in the report.
The move is the latest in a long string of acts of openness as Microsoft steers towards taking its place in a multi-platform world, rather than attempting to recreate the domination that has slipped through its fingers as the landscape has evolved.
Microsoft has been working to integrate Linux into products like Azure for some time, and it’s getting to the point where it would be pretty idiotic to hold out any further.
Angel Calvo, group software engineering manager for the PowerShell team, said: “A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.
“Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and remotely manage Linux and Windows systems.”
He goes on to explain that Microsoft will become an active member of the OpenSSH community and contribute its own take on things and ensure tight compatibility. There is no set date for launch, and development is in the “early planning stages”.
Calvo said that attempts to support SSH in the past were rejected, although he didn’t make it entirely clear who had rejected Microsoft’s advances.
“Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive,” he said.
OpenSSH was hit by a vulnerability known as Logjam last month. A joint statement from US universities investigating the glitch said: “If you use SSH, you should upgrade your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman key exchange.”
The company launched an investigation in early May after receiving reports of unusual activity involving payment cards used at some of its stores. While it now has sufficient evidence to confirm an illegal intrusion, the company declined to comment on the breach’s scope until the forensics investigation is complete.
Sally Beauty is one of the largest retailers of beauty products in the U.S. and has over 4,500 stores.
In March last year, the company said hackers stole up to 25,000 customer records containing payment card data. According to the company’s annual report for 2014, attackers managed to install malware on some of its point-of-sale systems and captured “track 2″ card data.
Track 2 refers to one of the data tracks encoded on a card’s magnetic stripe. It contains the card’s number and expiration date and can be used by criminals to clone it.
“There can be no assurances that we will not suffer another cyber-attack or data security breach in the future and, if we do, whether our physical, technical and procedural safeguards will adequately protect us against such attacks and breaches,” the company said in its report.
The compromise of point-of-sale systems with memory-scraping malware has resulted in some of the largest card breaches over the past two years. The technique was used to steal 56 million payment card records from Home Depot last year and 40 million from Target in late 2013.
WordPress has issued a security fix after millions of websites were at risk of a bug that allows attackers to take control of a system.
Patched in the WordPress 4.2.1 Security Release, the fix was announced in an advisory by WordPress consultant Gary Pendergast just hours after the vulnerability was disclosed by a bug hunter.
“A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenters to compromise a site,” read the advisory.
“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those.”
Uncovered by Oy Jouko Pynnönen, a researcher at Finnish security company Klikki, the vulnerability is a cross-site scripting (XSS) bug that could allow a hacker to take over an entire server running the WordPress platform by changing passwords and creating new accounts.
Pynnönen knew about the bug for some time but decided to take it public because WordPress “refused all the communication attempts” he has made since November 2014.
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” explained Pynnönen in a blog post.
“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
The vulnerability is hijacked by injecting code into the comments section of the site, and then adding more than 64Kb of text.
“If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page,” he continued.
“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.”
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected, he added.
Security company Rapid7 said that the latest vulnerability is different to the usual throng of WordPress-based attacks which target the core WordPress CMS engine rahter than a particular plugin.
“While we see WordPress exploits fairly regularly, they are necessarily limited in scope to just those sites that have enabled the vulnerable plugin,” said Rapid7 engineering manager Tod Beardsley.
Defense contractor Raytheon is acquiring Websense, which it will combine with its own security unit to create a new, separately operated business to battle criminal networks and state-funded espionage.
Today’s Internet attacks “are becoming increasingly more sophisticated and are being perpetuated by state sponsored groups, criminal organizations, hacktivists and insiders,” said David Wajsgras, president of Raytheon intelligence, information and services business, in a conference call Monday announcing the acquisition. “Our goal is to provide defense-grade solutions that allow our customers defend against [attacks], detect them early, decide how to counter and defeat such attacks in real-time.”
Raytheon plans to spend $1.9 billion in a deal to get 80 percent ownership of the new business based on Websense. It will then create the new company by combining Websense with its own cyberproducts business unit, valued at approximately $400 million. Vista Equity Partners, Websense’s current owner, will purchase a 20 percent stake in the new, combined company, for approximately $335 million.
The joint venture will be a separately operated Raytheon business segment. John McCormack, current CEO of Websense, will serve as chief executive of the new business. The name of the new company will be disclosed when the deal closes, by the end of the second quarter, the companies said.
Websense’s Triton line of secure Web gateway products guard internal networks against malware, data theft and Internet-based snooping. The new company will combine Triton with Raytheon’s own SureView portfolio of security products, which can watch for unusual user activity, protect against known vulnerability attacks, and detect hidden anomalies using machine-learning technologies.
The two companies also have a complementary customer base. Raytheon has focused largely on serving U.S. defense agencies — it generated sales of $23 billion in 2014, which was mostly from large-scale systems work. Websense has a strong presence in the commercial enterprise market. It serves 21,000 customers and has relationships with over 2,200 channel partners.
Certicom, a subsidiary of BlackBerry and an industry pioneer in elliptic curve cryptography, announced a new offering that it contends will secure millions of devices, expected to be part of the growing Internet of Things (IoT) sphere.
The company said it has already won a contract in Britain to issue certificates for the smart meter initiative there with more than 104 million smart meters and home energy management devices.
The service will make it much easier for companies rolling out such devices to authenticate and secure them, the company said.
Separately, BlackBerry also outlined a plan to expand its research and development efforts on innovation and improvement in computer security.
The initiative is being dubbed BlackBerry Center for High Assurance Computing Excellence (CHACE).
Increased network and device security has become a huge focus for large North American corporations in the face of costly and damaging security breaches.
U.S. retailer Target Corp is still recovering from a major breach in 2013 in which 40 million payment card numbers and 70 million other pieces of customer data such as email addresses and phone numbers were stolen.
Michaels Stores, the biggest U.S. arts and crafts retailer, said last year it had suffered a security breach that may have affected about 2.6 million payment cards.
BlackBerry said the fail-then-patch approach to managing security risk has become a widely accepted practice, but through CHACE it plans to develop tools and techniques that deliver a far higher level of protection than is currently available.
“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).
With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.
This could explain why attackers have recently targeted U.S. health insurance providers. Last Tuesday, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. Last month, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack.
Both attacks exposed similar data, including names, Social Security numbers, birth dates, telephone numbers, member identification numbers, email addresses and mailing addresses. In the Premera breach, medical claims information was also accessed.
If the attackers try to monetize this information, the payout could prove lucrative.
Credentials that include Social Security numbers can sell for a couple of hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers, said Matt Little, vice president of product development at PKWARE, an encryption software company with clients that include health care providers. Credit card numbers, which go for a few dollars, tend to work only for a handful of days after being reported stolen.
Target is reportedly close to paying out $10m to settle a class-action case that was filed after it was hacked and stripped of tens of millions of peoples’ details.
Target was smacked by hackers in 2013 in a massive cyber-thwack on its stores and servers that put some 70 million people’s personal information in harm’s way.
The hack has had massive repercussions. People are losing faith in industry and its ability to store their personal data, and the Target incident is a very good example of why people are right to worry.
As well as tarnishing Target’s reputation, the attack also led to a $162m gap in its financial spreadsheets.
The firm apologized to its punters when it revealed the hack, and chairman, CEO and president Gregg Steinhafel said he was sorry that they have had to “endure” such a thing
Now, according to reports, Target is willing to fork out another $10m to put things right, offering the money as a proposed settlement in one of several class-action lawsuits the company is facing. If accepted, the settlement could see affected parties awarded some $10,000 for their troubles.
We have asked Target to either confirm or comment on this, and are waiting for a response. For now we have an official statement at Reuters to turn to. There we see Target spokeswoman Molly Snyder confirming that something is happening but not mentioning the 10 and six zeroes.
“We are pleased to see the process moving forward and look forward to its resolution,” she said.
Not available to comment, not that we asked, will be the firm’s CIO at the time of the hack. Thirty-year Target veteran Beth Jacob left her role in the aftermath of the attack, and a replacement was immediately sought.
“To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” said Steinhafel then.
“As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation.”
“Transformational change” pro Bob DeRodes took on the role in May last year and immediately began saying the right things.
“I look forward to helping shape information technology and data security at Target in the days and months ahead,” he said.
“It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests.”
We would ask Steinhafel for his verdict on DeRodes so far and the $10m settlement, but would you believe it, he’s not at Target anymore either having left in the summer last year with a reported $61m golden parachute.
Two Vietnamese men have been charged, with one pleading guilty, for hacking into eight U.S. email service providers and stealing 1 billion email addresses and other confidential information, resulting in what’s believed to be the largest data breach in U.S. history, the U.S. Department of Justice announced.
The attacks, running from February 2009 to June 2012, resulted in the largest data breach of names and email addresses “in the history of the Internet,” Assistant Attorney General Leslie Caldwell said in a statement. After stealing the email addresses, the defendants sent spam emails to tens of millions of users, generating US$2 million in sales, according to the DOJ.
Viet Quoc Nguyen, 28, of Vietnam, allegedly hacked into the email service providers, stealing proprietary marketing data containing more than 1 billion email addresses, the DOJ said. Nguyen, along with Giang Hoang Vu, 25, also of Vietnam, then allegedly used the data to send spam messages, the agency alleged.
The indictments of the two men were unsealed Thursday. On Feb. 5, Vu pleaded guilty in U.S. District Court for the Northern District of Georgia to conspiracy to commit computer fraud.
Vu was arrested by Dutch law enforcement in 2012 and extradited to the U.S. a year ago. He is scheduled to be sentenced on April 21. Nguyen remains at large.
In addition to the unsealing of the indictments, a federal grand jury returned an indictment this week against a Canadian citizen for conspiring to launder the proceeds obtained as a result of the massive data breach.
David-Manuel Santos Da Silva, 33, of Montreal, was indicted for conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the spam emails and launder the proceeds.
Uber found out about a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.
The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.
It’s in the process of notifying the affected drivers and advised them to monitor their credit reports for fraudulent transactions and accounts. It said it hadn’t received any reports yet of actual misuse of the data.
Uber will provide a year of free identity protection service to the affected drivers, it said, which has become fairly standard for such breaches.
The company said it had filed a “John Doe” lawsuit Friday to help it confirm the identity of the party responsible for the breach.
Chinese PC and mobile phone maker Lenovo Group Ltd acknowledged that its website was hacked, its second security blemish days after the U.S. government advised consumers to remove software called “Superfish” pre-installed on its laptops.
Hacking group Lizard Squad claimed credit for the attacks on microblogging service Twitter. Lenovo said attackers breached the domain name system associated with Lenovo and redirected visitors to lenovo.com to another address, while also intercepting internal company emails.
Lizard Squad posted an email exchange between Lenovo employees discussing Superfish. The software was at the center of public uproar in the United States last week when security researchers said they found it allowed hackers to impersonate banking websites and steal users’ credit card information.
In a statement issued in the United States on Wednesday night, Lenovo, the world’s biggest maker of personal computers, said it had restored its site to normal operations after several hours.
“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time,” the company said. “We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information.”
Lizard Squad has taken credit for several high-profile outages, including attacks that took down Sony Corp’s PlayStation Network and Microsoft Corp’s Xbox Live network last month. Members of the group have not been identified.
Starting 4 p.m. ET on Wednesday, visitors to the Lenovo website saw a slideshow of young people looking into webcams and the song “Breaking Free” from the movie “High School Musical” playing in the background, according to technology publication The Verge, which first reported the breach.
Although consumer data was not likely compromised by the Lizard Squad attack, the breach was the second security-related black eye for Lenovo in a matter of days.