Sears Holdings Corp acknowledged it has launched an investigation to determine whether it was the victim of a security breach, following Target Corp’s revelation at the end of last year that it had suffered an unprecedented cyber attack.
“There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears spokesman Howard Riefs said in a statement on Friday.
“We have found no information based on our review of our systems to date indicating a breach,” he added.
He did not say when the operator of Sears department stores and Kmart discount stores had begun the investigation or provide other information about the probe.
Sears Holdings Corp operates nearly 2,500 retail stores in the United States and Canada.
Bloomberg News reported on Friday that the U.S. Secret Service was investigating a possible secret breach at Sears, citing a person familiar with the investigation. The report did not identify that source by name.
The Bloomberg report said that its source did not disclose details about the scope or timing of the suspected breach.
A spokesman for the U.S. Secret Service declined comment when Reuters asked if the agency was investigating a possible breach at Sears.
The Secret Service is leading the U.S. government’s investigation into last year’s attack on Target, which the company has said led to the theft of some 40 million payment card numbers as well as another 70 million pieces of personal data.
A cybersecurity firm has stated that it has found stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.
The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.
Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.
“The sheer volume is overwhelming,” said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.
Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.
He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.
“We have staff working around the clock to identify the victims,” he said.
He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.
The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.
The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.
Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.
She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.
“They can get access to your actual bank account. That is huge,” Bearfield said. “That is not necessarily recoverable funds.”
After recent payment-card data breaches, including one at U.S. retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.
Wade Baker, a data breach investigator with Verizon Communications Inc, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers have gotten better at identifying that type of breach and quickly moving to prevent crooks from making fraudulent transactions, he said.
In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website.
Kickstarter, the fundraising website used by millions of people to raise capital for creative projects and businesses, acknowledged that hackers had gained access to some of its customers’ data but that the breach had been repaired.
“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” Kickstarter Chief Executive Officer Yancey Strickler said in a blog post on the website. It noted that it does not store credit card data.
Recent data breaches at Target Corp and Neiman Marcus have sparked concern from U.S. lawmakers and consumers over who should bear the cost of consumer losses and how to improve cybersecurity.
Kickstarter’s information that was accessed without authority included user names, email addresses, mailing addresses, phone numbers and encrypted passwords, said Kickstarter, which was informed of the breach by law enforcement officials on Wednesday night.
It added that while passwords were not revealed, persons with computer expertise could still decipher encrypted passwords, and recommended users change their passwords as well as those for other sites or accounts for which the users had the same password.
Kickstarter said it had beefed up security in recent days. It also said it was working with law enforcement officials.
Kickstarter launched in 2009 as a conduit for funding of projects ranging from films and stage shows to video games and restaurant launches. Contributors to a project’s launch are often compensated with rewards, discounts, credits or other offers from the projects they help fund.
Since its launch more than 100,000 projects have been funded, with hundreds of millions of dollars pledged.
The Securities and Exchange Commission said that its making plans to conduct a roundtable next month to discuss cybersecurity, after massive retailer breaches refocused the attention of the business community and policymakers on the area.
The SEC said that it would hold the event on March 26 to talk about the challenges cyber threats pose for market participants and public companies.
Recent breaches at Target Corp and Neiman Marcus have sparked concern from lawmakers and revived a long-running spat among retailers and banks over who should bear the cost of consumer losses and technology investments to improve security.
Last Thursday, trade groups for the two industries announced they are forming a partnership to work through the disputes.
U.S. lawmakers have also considered weighing in on how consumers should be notified of data theft. But progress on legislation is not guaranteed in a busy election year.
The SEC in 2011 drafted informal staff-level guidance for public companies to use when considering whether to disclose cyber attacks and their impact on a company’s financial condition.
SEC Chair Mary Jo White last year told Congress that her agency was reviewing whether a more robust disclosure process is needed. But she told reporters last fall she felt the guidance appeared to be working well and that she didn’t see an immediate need to create a rule that mandates public reporting on cyber attacks.
An Internet outage in China that rerouted millions of users to a US website of a company which helps people get around Beijing’s censorship might have been a cyber attack.
Users were redirected to a site run by a company tied to the Falun Gong, a spiritual group banned in China which has been blamed for past hacking attacks. Chinese security experts claim that the outage could have been exploited by hackers, or could have been the result of a hacking attack.
The outage, which lasted for several hours, was due to a malfunction in China’s top-level domain name root servers on Tuesday. Chinese Internet users were rerouted to a U.S.-based website run by Dynamic Internet Technology (DIT), a company that sells anti-censorship web services tailored for Chinese users.
The Epoch Times, a publication produced by the Falun Gong which is banned in China, is a client and sponsor of DIT.
A phony antivirus program in circulation is using at least a dozen stolen digital code-signing certificates, indicating cybercrooks are increasingly breaching the networks of software developers, according to Microsoft.
The application, branded as “Antivirus Security Pro,” was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, “Win32/Winwebsec.”
Digital certificates, issued by Certification Authorities (CAs), are used by developers to “sign” software programs, which can be cryptographically checked to verify that a program hasn’t been tampered with and originates from the developer who claims to write it.
If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.
The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued “by a number of different CAs to software developers in various locations around the world,” the company wrote.
The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.
Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.
One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating “that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.”
Microsoft noticed another fake antivirus program, which is called “Win32/FakePav,” is also rotating stolen certificates.
Win32/FakePav has gone by more than 30 other names since its detection around 2010. It didn’t use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.
To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.
“Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware,” the company wrote.
The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.
On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.
“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”
According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.
“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.
An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.
The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.
Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.
Foreign hackers from China and Russia carried out large-scale hacking into government communications, and a Finnish TV station.
Finland’s foreign minister Erkki Tuomioja said the breach of the Foreign Ministry’s data network was discovered in spring, and Finland’s intelligence service was investigating it as a case of serious espionage. Broadcaster MTV3 reported the hacking incident which until know had been kept under wraps, probably because everyone thought the Americans had done it.
Tuomioja declined to comment on suspects, but MTV3 had earlier said Chinese and Russian spies agents may have been involved. The report said that the hackers had gained access to its network for years and targeted communications between Finnish and European Union officials. Tuomioja insisted that there was nothing classified.
A U.S. bureau on Tuesday provided a draft of voluntary standards that businesses can adopt to boost cybersecurity – part of an attempt to protect critical industries without setting restrictive and costly regulations.
The National Institute of Standards and Technology (NIST), a nonregulatory agency that is part of the Department of Commerce, issued the so-called framework following input from some 3,000 industry and academic experts.
Cybersecurity experts warn that relentless efforts to hack into U.S. banksand financial institutions, the power grid and other critical infrastructure, paired with instances of disruptive attacks abroad, pose a national security threat.
President Barack Obama directed NIST to compile voluntary minimum standards in a February executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.
Action on bills this year is stalled after the disclosures of vast online U.S. government spying programs.
The draft offers guidance on how companies could identify and protect network assets and detect, respond to and recover from breaches.
Steps might include keeping inventories of software platforms and applications they use, ensuring that top executives know roles and responsibilities, and setting information security policies.
The document also expands on how the companies could do all that while protecting privacy and civil liberties.
“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” NIST Director Patrick Gallagher told reporters, calling the framework “a living document” that is expected to be flexible.
Many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities.
Another concern is that companies have little incentive to adopt the framework – something being reviewed by the Departments of Homeland Security, Commerce and Treasury.
“This is really just a stepping stone … . The meat of all of this still remains in the incentives program,” said Melanie Teplinsky, who teaches law at American University and serves as an adviser to cybersecurity firm CrowdStrike. “Even if this is perfect, who’s going to adopt this and why?”
Some trade groups and industry analysts say the framework appears vague and complex, and experts warn that may become a hurdle to adoption.
“I understand their problem, they’re trying to write something that any industry can apply. As soon as you do that, you’re going to get to a very big level of abstraction,” said Stewart Baker, a former Department of Homeland Security assistant secretary and now lawyer at Steptoe & Johnson.
“Much of the document is very procedural,” he said. “I fear that it won’t measurably improve cybersecurity without making it more expensive for everybody.”
While Chinese hackers are famous for taking on other people’s governments, it appears that one of them has broken ranks to take out Glorious People’s Republic’s Twitter site.
China’s state broadcaster CCTV deleted a tweet claiming the country’s president had set up a special unit to probe corruption accusations against a former domestic security chief. The tweet referred to an article in Hong Kong’s South China Morning Post newspaper. CCTV said that the Twitter account was hacked on October 21 and used illegally to post incorrect information copied from other sources.
The Tweet said that President Xi Jinping has set up a special unit to investigate corruption allegations against the retired leader Zhou Yongkang. The South China Morning Post, had said Zhou was being investigated for corruption. But sources have told Reuters he was helping in a graft probe, rather than being targeted himself.
Twitter is blocked in China but some state media have set up accounts in an apparent bid to reach foreign audiences. The hack would have had little impact as the account only has 2,480 followers, in contrast to the 9.9 million followers of its main account on Sina Weibo, China’s version of Twitter.
Google introduced the service on Google+, saying that it is aimed at websites that might otherwise be at risk of online disruption.
“Project Shield, [is] an initiative that enables people to use Google’s technology to better protect websites that might otherwise have been taken offline by “distributed denial of service” (DDoS) attacks. We’re currently inviting webmasters serving independent news, human rights, and elections-related content to apply to join our next round of trusted testers,” it said.
“Over the last year, Project Shield has been successfully used by a number of trusted testers, including Balatarin, a Persian-language social and political blog, and Aymta , a website providing early-warning of scud missiles to people in Syria. Project Shield was also used to protect the election monitoring service in Kenya, which was the first time their site stayed up throughout an election cycle.”
Interested websites should visit the Google Project Shield page and request an invitation to the experience. They should not try to do the same at Nvidia’s website, as they will probably just come away with a handheld games console. This will not offer much assistance against DDoS attacks.
According to a video shared by Google last night, Project Shield works by combining the firm’s DDoS mitigation technologies and Page Speed Service (PSS).
Russian mobile malware factories are working with thousands of affiliates to exploit Android users, a security company has claimed.
According to Lookout Mobile Security the system is so efficient that almost a third of all mobile malware is made by just 10 organisations operating out of Russia. These “malware HQs” are pumping out nasty toll fraud apps, largely aimed at Android users, which force the user to call premium rate numbers the report said.
Thousands of affiliate marketers are also profiting from the scheme and helping spread the malware by setting up websites designed to trick users into downloading seemingly legitimate apps. Affiliates can make up to $12,000 a month and are heavy users of Twitter.
The report’s release at the DEF CON 21 conference in Las Vegas indicated that Lookout Mobile Security are working with the spooks to bring the crooks down. The malware HQs had gone to great lengths to obfuscate and encrypt their code to make detection tricky, but their advertising was pretty brazen.
The Google code developer website is being used by hackers to spread malware, security firm Z-Scaler has warned.
According to Z-Scaler security researcher Chris Mannon who reported uncovering the ploy, cyber crooks are using the Google Code website as a fresh twist on their usual attack strategies.
“Malware writers are now turning to commercial file-hosting sites to peddle their wares,” Mannon wrote in a company blog post. “If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether.
“The kicker is that this time we see that Google Code seems to have swallowed the bad pill.”
The firm urged businesses to adapt their security protocols to deal with the new threat.
“This incident sets a precedent that no file-hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organisational or personal perspective,” Mannon added. “So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location.”
Anti-malware vendor Fireeye said the use of developer websites by hackers to spread malware isn’t anything new and it expects to see similar attacks in the very near future.
“We see this all of the time. In many cases we see fragments of multi-stage attacks for specific campaigns hosted across a variety of intermediate locations,” said Fireeye regional technical lead Simon Mullis. “Any site with user-editable content can be used to host part of the malware attack lifecycle.”
Fireeye noted that the key point is that if you cannot detect the initial inbound exploit, then the rest of the attack can be hidden or obfuscated using this approach.
“This technique has been used for years, and the traditional security model and simple discrete sandboxing has no answer for it,” Mullis added.
Google isn’t the only information technology giant whose developer website has been attacked by hackers. Apple shut down access to its developer website last week after a researcher went public about a security vulnerability. Though it is back up and running now, the attack showed that even the richest technology companies can fall victim to hackers.
There is usually a game played at the event, and that is “spot the fed”. Usually they are easy to pick out thanks to their suits and shiny shoes, crewcuts and questions like, “What’s a VPN?”
This year if there are any there they are going to have to attend in serious disguises.
The bar has come down because of recent alarming news about US federal government snooping and the US National Security Agency (NSA) PRISM programme, as well as the government persecution and tragic suicide of Aaron Swartz and ‘hacking’ prosecutions of other individuals by the US government.
Anyway, it doesn’t seem like Defcon attendees should be happy to play host to guests that are already snooping on them, the US public and the rest of the world, not to mention trying to throw some of them in prison.
“For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect,” said a note posted to the Defcon website.
“When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend DEF CON this year. This will give everybody time to think about how we got here, and what comes next.”
The announcement comes in the wake of the PRISM scandal. That was exposed by NSA whistleblower Ed Snowden and has highlighted just how nosey the US government and its federal investigators are, which is very nosey indeed.
Defcon 21 will be held in Las Vegas in the first week of August.
While the world hears lots of stories about Chinese hackers, apparently Beijing has mountains of data on Americans doing the same thing to them.
China’s top Internet security official told Reuters that he has “mountains of data” pointing to extensive US hacking aimed at China. However, Huang Chengqing told them that it would be irresponsible to blame Washington for such attacks. Cyber security is a major concern for the government and is expected to be at the top of the agenda when President Barack Obama meets with Chinese President Xi Jinping in California on later this week.
Huang said that he had mountains of data, if we wanted to accuse the US, but it’s not helpful in solving the problem. Huang runs the National Computer Network Emergency Response Technical Team/Coordination Centre of China, known as CNCERT.