A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities.
According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.
Greene wrote that the majority of reports it receives concern more common parts of Facebook’s code, but the company would like to encourage interest in ads “to better protect businesses.”
Facebook’s ad tools include the Ads Manager, the ads API (application programming interface) and Analytics, which is also called Insights, Greene wrote. The company also wants close scrutiny of its back-end billing code.
“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene wrote. “This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”
Greene wrote that Facebook typically sees bugs such as incorrect permission checks, insufficient rate-limiting, edge-case CSRF (cross-site request forgery) issues and problems with Flash in its ads code.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Community Health Systems Inc., one of the largest U.S. hospital groups, is reporting that it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
Security experts said the hacking group, known as “APT 18,” may have links to the Chinese government.
“APT 18″ typically targets companies in the aerospace and defense, construction andengineering, technology, financial services and healthcare industry, said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.
“They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” he said.
The information stolen from Community Health included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing.
The stolen data did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development, said Community Health, which has 206 hospitals in 29 states.
The attack is the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
Chinese hacking groups are known for seeking intellectual property, such as product design, or information that might be of use in business or political negotiations.
Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.
Over the past six months Mandiant has seen a spike in cyber attacks on healthcare providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal. Mandiant monitors about 20 hacking groups in China.
The UK Government isn’t doing enough to warn about the risks of cybercrime on a mass level, security firm Kaspersky has claimed.
Speaking at a company roundtable event at the firm’s European hub in London on Thursday, Kaspersky security researcher David Emm said isn’t doing as much as it could be to educate people about cyber security.
“I’d like to see the government doing more to get the message out to mainstream citizens and individuals because that’s the bone in which the industry is growing; the individuals with ideas,” Emm said
“If you look at it, the recent Cyber Street Wise campaign aside, I don’t think the government is doing very much in terms of mainstream messaging and I would certainly like to see it do more.”
Emm used the example of major UK marketing campaigns promoting the dangers of drink driving as an ideal model because they have been drilled into us over the years.
“As parents, we’ve this body of common sense, such as drinks driving, and it’s drip, drip, drip, over the years that has achieved that and I think we need to get to a point where we have some body of online common sense in which business people can draw upon; there’s definitely a role for education.”
Barclay’s bank, which was also present at the roundtable, agreed with Emm.
“The government really needs to recognise this is a serious issue – if you’re bright enough to set up your own business, you’re bright enough to protect yourself,” added the firm’s MD of fraud prevention Alex Grant.
Emm concluded by saying that the government’s Cyber Street Wise campaign that was launched in January was good enough to make people aware of the risks of cybercrime in the metropolitan areas. However, he said he’d like to see the government focus more on regional areas as people in sparsely populated areas weren’t as aware of it.
Kaspersky’s roundtable took place as part of the firm’s launch of a report that found small businesses in the UK are “woefully unprepared” for an IT security breach, despite relying increasingly on mobile devices and storing critical information on computers.
The study found that nearly a third, or 31 percent, of small businesses would not know what to do if they had an IT security breach tomorrow, with four in ten saying that they would struggle to recover all data lost and a quarter admitting they would be unable to recover any.
Duo Security Research has warned that it is possible to bypass two factor, or second factor authentication (2FA) protection on Paypal.
Paypal said that all users will need to access an account is a username and password, but the firm added that it has a workaround in place and a fix is on the way.
“An attacker only needs a victim’s Paypal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Duo Security Research said.
“Paypal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix. In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their Paypal account security.”
The problem exists in the mobile Paypal apps that can be tricked into ignoring 2FA protection on user accounts.
The security firm, which developed a proof of concept exploit for the bug, said, “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”
It added, “While Paypal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the Paypal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”
Paypal has penned a blog post saying that this is all in hand, and that the flaw has been disabled.
“The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their Paypal account. Customers who do not use the Paypal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way,” Paypal said.
“Even though 2FA is an additional layer of authentication, Paypal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”
Paypal said that customer accounts were, and have remained secure. Duo Security said that it hopes that “full support of two-factor authentication in the [Paypal] official mobile applications and third-party merchant apps” follows.
Recently Paypal’s parent company eBay was the scene of a security scandal that made people question whether it really understands security at all.
The components of a digital surveillance tool used by governments around the globe have been uncovered by Kaspersky Lab, whose research team tracked down and reverse engineered the Hacking Team’s Remote Control System (RCS) tool.
Hacking Team is an Italian company that develops the ‘legal’ RCS spyware tool, and supposedly sells it to governments as a surveillance device. Kaspersky’s Securelist has been tracking the Hacking Team since 2011, when Wikileaks released documents describing the functions of the spyware programs the company has offerred to government agencies since 2008.
In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on Wikileaks as the Remote Control System, the description of which was published at the company’s website www.hackingteam.it. However, at the time, Kaspersky Lab had no way of knowing about the connections between the threats that were detected and the Hacking Team spyware program.
However, now the Russian security company said that new components target iOS, Android, Windows Phone and Blackberry users, and are actually part of Hacking Team’s much bigger set of tools targeting desktops and laptops.
From its findings, Kaspersky said the iOS and Android modules provide a multitude of features to whoevers hands they fall into, giving them complete control over targeted phones.
“Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target-which is much more powerful than traditional cloak and dagger operations,” Kaspersky Lab researcher Sergey Golovanov said in a blog post about the findings.
The tools could give governments access to emails, text messages, call history and address books, as well as logging keystrokes and obtaining search history data.
From this point onwards, the tool can track a user’s location via the phone’s GPS signal, take screenshots, record audio from the phones to monitor calls or conversations, or hijack the phone’s camera to take pictures.
“We have also seen the emergence of privately owned companies that, according to the information on their official websites, develop and offer software to law enforcement agencies to facilitate the collection of data from user computers,” Kaspersky’s Securelist post read.
“Countries that do not have the requisite technical capabilities are thus able to purchase software with similar functions from private companies.
“In spite of the fact that most countries have laws prohibiting the creation and distribution of malicious programs, this spyware is offered with almost no attempt to conceal its functions.”
The firm added that so far, there aren’t very many of these companies and almost no competition in this particular market, which makes it very attractive to new players and thus sets the stage for a technology race among them.
Hackers have found a way to reverse engineer the technology of the United States National Security Agency (NSA) spy gadgets.
Thanks to documents leaked by fugitive former NSA contractor and whistleblower Edward Snowden, the group has built a copycat device able to gather private data from computer systems.
The Advanced Network Technology catalogue, leaked by Snowden, is the Argos book of the NSA showing a range of toys available to agents. One such device known has a “retro reflector” had eluded identification, beyond that it acted as a bug, keylogger and screengrabber.
Michael Ossman and his team from Great Scott Gadgets, a Colorado based hacking group, decided that the best defence against such devices was to create their own to understand what makes them tick.
It transpired that the key technology being used is called software defined radio (SDR), an approach that uses software to generate radio transmissions through signal processing, doing away with a lot of hardware circuitry.
“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” Ossmann told New Scientist.
The technique can be used for almost any type of radio signal and therefore the devices are capable of tracking anything, from what you’re listening to through a Bluetooth headset to the binary signals of your internet traffic.
The group, which will demonstrate its work at the Defon hacking conference in Las Vegas, runs a website at NSAplayset.org that is a repository for all of the information it gathered.
Speaking at a roundtable at the company’s lab in Helsinki, Finland on Tuesday, F-Secure CEO Christian Fredrikson said that Google knows far too much about us, and any kind of profiling is not something we should condone.
“We don’t think profiling is just innocent, [that] it doesn’t matter; we think it is extremely dangerous,” Fredrikson said.
“It actually means that if you have all the information of people gathered over 10 years, you – in democracies even – could stay in power forever, because if you have all the information, you have all the power.”
For example, Fredrikson said that if you were to go into a job interview tomorrow, the company could, in theory, know that three months ago you went through a divorce, went to a doctor and were prescribed some medicine, all due to Google’s profiling, which could in turn affect the outcome of the interview.
“Taking profiling to a personal level is not innocent, so we feel mass gathering of data of every individual is not something we should be condoning,” he concluded.
A Cryptolocker-style Android virus dubbed Simplocker has been detected by security firm Eset, which confirmed that it scrambles files on the SD cards of infected devices before issuing a demand for payment.
The message is in Russian and the demand for payment is in Ukrainian hryvnias, equating to somewhere between £15 and £20.
Naturally, the warning also accuses the victim of looking at rather unsavoury images on their phone. However, while the source of the malware is said to be an app called “Sex xionix”, it isn’t available at the Google Play Store, which generally means that anyone who sideloads it is asking for trouble.
Eset believes that this is actually more of a “proof of concept” than an all-out attack, and far less dangerous than Cryptolocker, but fully functional.
Robert Lipovsky of Eset said, “The malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”
Eset recommends the usual – use a malware app. It recommends its own, obviously, and advises punters to keep files backed up. Following such advice, said Lipovsky, ensures that ransomware is “nothing more than a nuisance”.
This is not the first Android cryptolocker style virus. Last month a similar virus was found, which Kaspersky said was “unsurprising, considering Android’s market share”.
Hacker blogger Quinn Norton is getting a lot of coverage with her blog claiming that the Internet is broken. She argues that every computer and every piece of software we use is vulnerable to hackers because of terrible security flaws. Norton blames these flaws on the fact that developers who face immense pressure to ship software quickly.
Norton says that those bugs may have been there for years unnoticed, leaving systems susceptible to attacks. One of her hacker mates accidentally took control of more than 50,000 computers in four hours after finding a security vulnerability. Another one of her colleagues accidentally shut down a factory for a day after sending a “malformed ping.”
She said that the NSA wasn’t, and isn’t, the great predator of the internet, it’s just the biggest scavenger around. It isn’t doing so well because they are all powerful math wizards of doom. The other problem is software is too complicated and the emphasis placed on security too light.
“The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when,” Norton said.
Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
“As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure,” wrote Ryan Moore, lead manager of eBay’s business communications, in an email to IDG News Service.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon’s Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states — Connecticut, Florida and Illinois — are jointly investigating eBay’s data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target’s data breach last year.
EBay’s size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by “black hat” hackers, those who are seeking to damage a company or profit from attacks, and “white hats,” who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone’s eBay account if he knows a person’s user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn’t received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Security experts have poured cold water on an OpenSSL vulnerability which a group of hackers have dubbed Heartbleed 2. A group of five hackers claimed on Pastebin that they have discovered another major security flaw in OpenSSL. They said they had found an vulnerability in the patched version OpenSSL. A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS.
“We could successfully Overflow the DOPENSSL_NO_HEARTBEATS and retrieve 64kb chunks of data again on the updated version,” they said.
The hackers said they would not make the vulnerability public as it would only allow companies to patch the flaw. They added they could exploit the flaw themselves “for a long time” before it gets patched, but they are also willing to sell it for $1,085.
“We are team of five people, and we have coded nonstop for 14 days to see if we could find a workaround, and we did it! We have no reason to make it public when the vendors will go for a update again,” the group said.
The only evidence given that the vulnerability is realise this image of what appears to be the output from a server to a request from the attackers. However Security experts have pointed out that the DOPENSSL_NO_HEARTBEATS variable mentioned by the hackers doesn’t actually exist.
While the rest of the world rushed to fix servers containing the Heartbleed security bug, Apple was curiously quiet. It was not that its products did not contain the flaw, its AirPort Extreme and Time Capsule Wi-Fi routers all were vulnerable, but no one seemed to want to talk about it.
Yesterday Jobs’ Mob issued an update to their latest AirPort Extreme and Time Capsule Wi-Fi routers in order to fix a Heartbleed-related vulnerability which would be triggered by Back to My Mac remote access or if the user sent diagnostics back to Apple.
Of course the Tame Apple press has been saying it is better “sooner than later” but what is alarming is that the patch did not come out much sooner. Sites like Ubergizmo appeared to be playing down the bug and implied that Apple would be largely free from it.
“This particular flaw will not allow those with nefarious intentions to steal your personal data or credentials, it could still open some leeway for them to launch man-in-the-middle attacks which will eventually grant access to login pages on not only the router, but also on your computer as well,” the site claimed.
It is sort of true. It will not bother Apple users if they don’t visit any webpages, but we guess a few of them will sometimes do that. The assumption being that Jobs’ Mob’s OS was somehow invulnerable and it was only those nasty Windows machines is so out of touch it is annoying.
To be fair Ubergizmo does say that that people making use of the latest networking devices from Apple, it would be highly recommended that you patch up your hardware without any further delay, but that is only several pars after saying not to worry.
The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.
On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.
Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.
Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.
The bug had been introduced in OpenSSL in late 2011.
Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.
The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.
The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.
While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.
Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.
Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.
Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.
A U.S. court has ruled that the Federal Trade Commission can proceed with a lawsuit against hotel group Wyndham Worldwide Corp for allegedly failing to properly secure consumers’ personal information.
Wyndham had argued that the commission did not have jurisdiction to sue over what it saw as lax security leading to data breaches, It had asked for the lawsuit to be dismissed.
Judge Esther Salas, of the U.S. District Court for the District of New Jersey, disagreed and ruled that the FTC should be allowed to proceed with its case.
Wyndham said in a statement that it planned to continue its fight.
“We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” the company said. “We intend to defend our position vigorously.”
The FTC has accused Wyndham of failing to provide adequate security for its computer system, leading to three data breaches between April 2008 and January 2010. It says the breaches led to fraud worth $10.6 million.
FTC Chairwoman Edith Ramirez said she was “pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data.
“We look forward to trying this case on the merits,” she said.
Wyndham operates several hotel brands, including the value-oriented Days Inn and Super 8. It is one of many organizations to acknowledge in recent years that it had been hacked by people seeking either financial gain or intellectual property.