IBM security research has found that people are using the so-called dark net to launch cyber attacks, force ransomware demands on punters and make distributed denial-of-service (DoS) attacks.
The dark net, accessed via Tor, is often tagged as a threat. The IBM X-Force Threat Intelligence Quarterly 3Q 2015 report identifies a spike in bad traffic and leads with a warning.
The report introduces Tor as the network that takes people to the dark net. We might start calling it the ferryman and the passage across the river Styx, but things are complicated enough.
IBM said that Tor is used by “non-malicious government officials, journalists, law enforcement officials” and bad people alike. It is the latter that should concern us.
“This latest report reveals that more than 150,000 malicious events have originated from Tor in the US alone thus far in 2015,” the report said.
“Tor has also played a role in the growing ransomware attack trend. Attackers have evolved the use of encryption to hold data hostage and demand payment/ransom for the decryption code.”
We have been here before, and ransomware has been a feature of many a security alert this year already. We heard, courtesy of Bitdefender, that ransomware charges start at £320, and are a real pain to deal with. We also heard that it is Android mobile users in the UK who get the worst of the hackers’ grabbing-for-money treatment.
Back at the IBM report, and we find IBM X-Force on the issue. X-Force, which is nothing like X-Men, said that hackers push internet users who are easily fooled by flashy online advertisements into installing the new cyber nightmare. Ransomware, it warns, will separate you from your cash.
“A surprising number of users are fooled by fake/rogue antivirus [AV] messages that are nothing more than animated web ads that look like actual products. The fake AV scam tricks users into installing or updating an AV product they may never have had,” it explains, adding that in some cases people pay the money without thinking.
“Afterward, the fake AV keeps popping up fake malware detection notices until the user pays some amount of money, typically something in the range of what an AV product would cost.”
This establishes the subject as a mark, and the hackers will exploit the opportunity. “Do not assume that if you are infected with encryption-based ransomware you can simply pay the ransom and reliably get your data back,” said IBM.
“The best way to avoid loss is to back up your data. Regardless of whether your backup is local or cloud-based, you must ensure that you have at least one copy that is not directly mapped visibly as a drive on your computer.”
Tor nodes in the US spewed out the most bad traffic in the first half of this year, according to the report, adding up to about 180,000 attacks. The Netherlands is second with around 150,000, and Romania is third with about 80,000.
The bulk of this negative attention lands at technology and communications companies. You might have assumed the financial markets, but you were wrong. IBM said that ICT gets over 300,000 Tor thwacks every six months, manufacturing gets about 245,000, and finance gets about 170,000.
IBM said that the old enemy, SQL injection attacks, is the most common Tor-led threat to come at its customers. Vulnerability scanning attacks are also a problem, and IBM said that the use of the network as a means for distributed DoS attacks should “Come as no surprise”. It doesn’t.
“These attacks combine Tor-commanded botnets with a sheaf of Tor exit nodes. In particular, some of the US-based exit nodes provide huge bandwidth,” explained the report.
“Employing a handful of the exit nodes in a distributed DoS orchestrated by the botnet controller and originating at dozens or hundreds of bot hosts can impose a large burden on the targeted system with a small outlay of attacker resources, and generally effective anonymity.”
There is a lot more. The bottom line is that bad things happen on the dark net and that they come to people and businesses through Tor. IBM said that concerned outfits should just block it and move on, which is along the lines of something that Akamai said recently.
“Corporate networks really have little choice but to block communications to these stealthy networks. The networks contain significant amounts of illegal and malicious activity,” said Akamai.
“Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
That sounds fine to us, but won’t someone give a thought to those non-malicious government officials out there?
A U.S. appeals court has ruled that the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information.
The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.
The FTC wants to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from more than 619,000 consumers, leading to over $10.6 million in fraudulent charges.
Noting the FTC’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, Circuit Judge Thomas Ambro said Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.’”
Wyndham brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge.
A company spokesman, Michael Valentino, said “safeguarding personal information remains a top priority” for the Parsippany, New Jersey-based company. “We believe the facts will show the FTC’s allegations are unfounded,” he added.
FTC Chairwoman Edith Ramirez welcomed the decision.
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.
Congress has not adopted wide-ranging legislation governing data security, a growing concern after high-profile breaches such as at retailer Target Corp, infidelity website Ashley Madison, and even U.S. government databases.
In a test of its power to fill the void, the FTC sued Wyndham in June 2012, claiming its computers “unreasonably and unnecessarily” exposed consumer data to the risk of theft.
Wyndham accused the FTC of overreaching, but U.S. District Judge Esther Salas in Newark, New Jersey, let the case proceed.
Affirming that ruling, Ambro rejected Wyndham’s argument that it lacked “fair notice” about what the FTC could require.
He also rejected what he called Wyndham’s “alarmist” argument that letting the FTC regulate its conduct could give the agency effective authority to regulate hotel room door locks, or sue supermarkets that fail to sweep up banana peels.
Volkswagen (VW) has watched as a security vulnerability in a key system on a range of vehicles has been released from the garage and put on the news road.
VW was first notified about the problem two years ago, but has worked to keep it under the bonnet. Well, not all of it, just a single line – not a yellow line – has been contentious. The line is still controversial, and has been redacted from the full, now released, report.
VW secured an injunction in the UK high court two years ago. The firm argued at the time that the information would make it easy to steal vehicles that come from its factories and forecourts. That might be true, but that is often the case with vulnerabilities.
The news that VW has suppressed the report for this amount of time is interesting, but it does remind us that not everyone in the industry appreciates third-party information about weaknesses.
VW has a lot of cars under its hood and, according to the report, a lot of different vehicles are affected. These run from Alfa Romeo through to Volvo, and take in midlife crisis mobility vehicles like the Maserati and Porsche.
The report is entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer (PDF), and is authored by Roel Verdult from Radbound university in the Netherlands and Flavio Garcia from the University of Birmingham in the UK.
Megamos Crypto sounds like a sci-fi bad guy, maybe a rogue Transformer, but it is actually designed to be a good thing. The security paper said that it is a widely deployed “electronic vehicle immobiliser” that prevents a car starting without the close association of its key and included RFID tag.
The researchers described how they were able to reverse engineer the system and carry out three attacks on systems wirelessly. They mention several weaknesses in the design of the cipher and in the key-update mechanisms. Attacks, they said, can take as little as 30 minutes to carry out, and recovering a 96-bit encryption key is a relatively simple process.
This could be considered bad news if you are a car driver. It may even be worse news for pedestrians. Concerned car owners should find their keys (try down the back of the sofa cushion) and assess whether they have keyless ignition. The researchers said that they told VW about the findings in 2012, and that they understand that measures have been taken to prevent attacks.
We have asked VW for an official statement on the news, but so far it isn’t coughing. Ready to talk, though, is the security industry, and it is giving the revelation the sort of disapproving look that people give cats when they forget what that sand tray is for.
Nicko Van Someren, CTO at Good Technology, suggested that this is another example of what happens when you go from first gear to fourth while going up a hill (this is our analogy). He described it in terms of the Internet of Things (IoT), and in respect of extending systems before they are ready to be extended.
“This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet,” he said.
“Increasingly, in the rush to connect ‘things’ for the IoT, we find devices that were designed with the expectation of physical access control being connected to the internet, the cloud and beyond. If the security of that connection fails, the knock-on effects can be dire and potentially even fatal.”
Cyber thieves are using Yahoo’s advertising network to make money in a bad way. Today’s tinned food and bottled water warning is that the Yahoo system that we have come to love and let inform our purchasing decisions has a sickness, and that sickness is ruddy people and their tinkering with security.
People, specifically hackers, are exploiting the Yahoo advertising system with a poison, a poison known as malvertizing, according to a blog post by security firm Malwarebytes.
Malvertizing, a portmanteau of malware and advertising, is what you would expect.
Jérôme Segura, a senior security researcher at Malwarebytes, said that it is a rather significant threat, and a rather recent one.
“June and July have set new records for malvertizing attacks. We have just uncovered a large-scale attack abusing Yahoo’s own ad network,” he said.
“As soon as we detected the malicious activity, we notified Yahoo and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at this time.”
Segura said that the Yahoo network has a lot of traffic, he quoted monthly visits of 6.9 billion a month, and that the threat presented to users is a sneaky and silent one.
“Malvertizing is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” he added.
“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.”
Segura explained that the firm had worked closely with Yahoo on nixing the problem and Yahoo confirmed this in a statement.
“Yahoo is committed to ensuring that our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue,” it said.
“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”
The social security numbers and credit card information of up to 6,000 University of Connecticut students, faculty and others may have been stolen by cyberhackers from China, the university said on Friday.
Officials detected a potential breach of the School of Engineering’s network in March and an investigation uncovered that hackers may have gained access to it as early as September, 2013, spokesman Tom Breen said.
He said 6,000 students, faculty, alumni and research partners of the school were notified that their personal information may have been compromised.
“The breach is far more extensive, could impact many more accounts and started much earlier than we originally believed,” said Breen. “There is no way at the present time to determine the exact number of accounts hacked,” he added.
Breen said the hack has been traced to China ”based on the type of cyber-attack that was launched, and the software used.” He added the FBI and several state agencies have been notified. The university said it was also taking steps to secure its systems.
The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.
Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.
The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.
Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.
The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.
This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.
The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.
An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.
Microsoft is very close to releasing Advanced Threat Analytics (ATA) the security sure-up that it first announced three months ago.
ATA, or MATA as we called it for our own small amusement, is the result of three months’ real world testing, and the culmination of enough user feedback to inform a final release.
That final release will happen in August, which should give you plenty of time to get your head around it.
Hmmm. Microsoft’s Advanced Threat Analytics seems like a very good idea focused on the enterprise.
— Kevin Jones (@vcsjones) May 4, 2015
Idan Plotnik, who leads the ATA team at Microsoft, explained in an Active Directory Team Blog post that the firm is working towards removing blind spots from security analytics, and that this release should provide a strong and hardy tool for the whacking away of hacking.
“Many security monitoring and management solutions fail to show you the real picture and provide false alarms. We’ve taken a different approach with Microsoft ATA,” he said.
“Our secret sauce is our combination of network Deep Packet Inspection, information about the entities from Active Directory, and analysis of specific events.
“With this unique approach, we give you the ability to detect advanced attacks and stolen credentials, and view all suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline.”
The Microsoft approach is an on-premise device that detects and analyses threats as they happen and on a retrospective basis. Plotnik said that it combines machine learning and knowledge about existing techniques and tactics to proactively protect systems.
“ATA detects many kinds of abnormal user behaviour many of which are strong indicators of attacks. We do this by using behavioural analytics powered by advanced machine learning to uncover questionable activities and abnormal behaviour,” he added.
“This gives the ability for ATA to show you attack indicators like anomalous log-ins, abnormal working hours, password sharing, lateral movement and unknown threats.”
A number of features will be added to the preview release, including performance improvements and the ability to deal with more traffic, before general availability next month.
Costco Wholesale Corp , Sam’s Club and several other large retailers have disabled their online photo printing stores in recent days, over concerns about a possible data breach at PNI Digital Media, which manages and/or hosts photo services sites.
Last week CVS Health Corp disabled its CVSphoto.com site, and the week before Walmart Canada’s walmartphotocentre.ca took a similar action after it was informed that customer credit card data had been potentially compromised.
Other photo printing sites that might have been recently affected included Rite Aid Corp and British supermarket chain Tesco’s.
“We take the protection of information very seriously. PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” said Kirk Saville, vice president, global communications at Staples Inc, which bought Vancouver-based PNI last year.
Some websites said they had been advised by PNI of a potential breach, while others said they acted because of recent reports.
Costco Canada and Rite Aid noted that PNI has limited access to customer information since it does not process credit cards, but the photo service sites were temporarily taken down as a precaution.
CVS and Walmart Canada asked customers to monitor their credit card transactions closely for unauthorized charges.
Tesco’s page simply said it was it was unavailable for routine maintenance.
The retailers’ main websites and other services were not affected by the potential breach.
Security gurus at Malwarebytes have been working on anti-malware software for Macs to ensure that Apple computers are protected from the latest online threats.
In what is perhaps more evidence that Macs should no longer be viewed as immune from malware, the release of Anti-Malware for Mac represents Malwarebyte’s first product dedicated to what the firm calls “underserved Mac user communities”.
The new product is designed to detect and remove malware, adware and potentially unwanted programs, capabilities that Malwarebytes said have been repeatedly requested by customers.
The release also sees Malwarebytes acquiring AdwareMedic by The Safe Mac, which will see AdwareMedic creator and owner Thomas Reed joining the company as director of Mac offerings. The security firm said that this will lead to a growing team of Mac developers and researchers.
“We’ve had repeated requests from our customers and community for malware protection on the Mac, and are now proud to unveil the first version of Malwarebytes Anti-Malware for Mac,” said Chad Bacher, VP of products for Malwarebytes.
“Our vision is to provide protection across all devices, regardless of type or operating system.”
Macs have traditionally been seen as immune from viruses, but Malwarebytes seems to think it’s pretty important that they are protected.
The firm said that there has been a proliferation of new adware in the past two years, including Genieo, Conduit and VSearch, that inject ads and pop-up hyperlinks in web pages, change the user’s homepage and search engine, and insert unwanted toolbars into the browser.
Other features of the Malwarebytes software include the removal of malware, including Trojans, quick virus scanning and simple program management.
Malwarebytes Anti-Malware for Mac 1.0 is available as a free consumer download from today. Small business and enterprise versions will be unveiled later this year, the firm said.
Company executives are worried about security breaches, but recent surveys suggest they are not convinced about the value or effectiveness of cyber insurance.
The report from the University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market outlines a scenario of an electricity blackout that leaves 93 million people in New York City and Washington DC without power.
The scenario, developed by Cambridge, is technologically possible and is assessed to be within the once-in-200-year probability for which insurers should be prepared, the report said.
The hypothetical attack causes a rise in mortality rates as health and safety systems fail, a drop in trade as ports shut down and disruption to transport and infrastructure.
“The total impact to the U.S. economy is estimated at $243 billion, rising to more than $1 trillion in the most extreme version of the scenario,” the report said. The losses come from damage to infrastructure and business supply chains, and are estimated over a five-year time period.
The extreme scenario is built on the greatest loss of power, with 100 generators taken offline, and would lead to insurance industry losses of more than $70 billion, the report added.
There have been 15 suspected cyber attacks on the U.S. electricity grid since 2000, the report said, citing U.S. energy department data.
The U.S. Industrial Control System Cyber Emergency Response Team said that 32 percent of its responses last year to cyber security threats to critical infrastructure occurred in the energy sector.
“The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than
defenders could remedy them,” Tom Bolt, director of performance management at Lloyd’s, said in the report.
The move is the latest in a long string of acts of openness as Microsoft steers towards taking its place in a multi-platform world, rather than attempting to recreate the domination that has slipped through its fingers as the landscape has evolved.
Microsoft has been working to integrate Linux into products like Azure for some time, and it’s getting to the point where it would be pretty idiotic to hold out any further.
Angel Calvo, group software engineering manager for the PowerShell team, said: “A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.
“Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and remotely manage Linux and Windows systems.”
He goes on to explain that Microsoft will become an active member of the OpenSSH community and contribute its own take on things and ensure tight compatibility. There is no set date for launch, and development is in the “early planning stages”.
Calvo said that attempts to support SSH in the past were rejected, although he didn’t make it entirely clear who had rejected Microsoft’s advances.
“Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive,” he said.
OpenSSH was hit by a vulnerability known as Logjam last month. A joint statement from US universities investigating the glitch said: “If you use SSH, you should upgrade your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman key exchange.”
The company launched an investigation in early May after receiving reports of unusual activity involving payment cards used at some of its stores. While it now has sufficient evidence to confirm an illegal intrusion, the company declined to comment on the breach’s scope until the forensics investigation is complete.
Sally Beauty is one of the largest retailers of beauty products in the U.S. and has over 4,500 stores.
In March last year, the company said hackers stole up to 25,000 customer records containing payment card data. According to the company’s annual report for 2014, attackers managed to install malware on some of its point-of-sale systems and captured “track 2″ card data.
Track 2 refers to one of the data tracks encoded on a card’s magnetic stripe. It contains the card’s number and expiration date and can be used by criminals to clone it.
“There can be no assurances that we will not suffer another cyber-attack or data security breach in the future and, if we do, whether our physical, technical and procedural safeguards will adequately protect us against such attacks and breaches,” the company said in its report.
The compromise of point-of-sale systems with memory-scraping malware has resulted in some of the largest card breaches over the past two years. The technique was used to steal 56 million payment card records from Home Depot last year and 40 million from Target in late 2013.
WordPress has issued a security fix after millions of websites were at risk of a bug that allows attackers to take control of a system.
Patched in the WordPress 4.2.1 Security Release, the fix was announced in an advisory by WordPress consultant Gary Pendergast just hours after the vulnerability was disclosed by a bug hunter.
“A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenters to compromise a site,” read the advisory.
“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those.”
Uncovered by Oy Jouko Pynnönen, a researcher at Finnish security company Klikki, the vulnerability is a cross-site scripting (XSS) bug that could allow a hacker to take over an entire server running the WordPress platform by changing passwords and creating new accounts.
Pynnönen knew about the bug for some time but decided to take it public because WordPress “refused all the communication attempts” he has made since November 2014.
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” explained Pynnönen in a blog post.
“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
The vulnerability is hijacked by injecting code into the comments section of the site, and then adding more than 64Kb of text.
“If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page,” he continued.
“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.”
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected, he added.
Security company Rapid7 said that the latest vulnerability is different to the usual throng of WordPress-based attacks which target the core WordPress CMS engine rahter than a particular plugin.
“While we see WordPress exploits fairly regularly, they are necessarily limited in scope to just those sites that have enabled the vulnerable plugin,” said Rapid7 engineering manager Tod Beardsley.
Defense contractor Raytheon is acquiring Websense, which it will combine with its own security unit to create a new, separately operated business to battle criminal networks and state-funded espionage.
Today’s Internet attacks “are becoming increasingly more sophisticated and are being perpetuated by state sponsored groups, criminal organizations, hacktivists and insiders,” said David Wajsgras, president of Raytheon intelligence, information and services business, in a conference call Monday announcing the acquisition. “Our goal is to provide defense-grade solutions that allow our customers defend against [attacks], detect them early, decide how to counter and defeat such attacks in real-time.”
Raytheon plans to spend $1.9 billion in a deal to get 80 percent ownership of the new business based on Websense. It will then create the new company by combining Websense with its own cyberproducts business unit, valued at approximately $400 million. Vista Equity Partners, Websense’s current owner, will purchase a 20 percent stake in the new, combined company, for approximately $335 million.
The joint venture will be a separately operated Raytheon business segment. John McCormack, current CEO of Websense, will serve as chief executive of the new business. The name of the new company will be disclosed when the deal closes, by the end of the second quarter, the companies said.
Websense’s Triton line of secure Web gateway products guard internal networks against malware, data theft and Internet-based snooping. The new company will combine Triton with Raytheon’s own SureView portfolio of security products, which can watch for unusual user activity, protect against known vulnerability attacks, and detect hidden anomalies using machine-learning technologies.
The two companies also have a complementary customer base. Raytheon has focused largely on serving U.S. defense agencies — it generated sales of $23 billion in 2014, which was mostly from large-scale systems work. Websense has a strong presence in the commercial enterprise market. It serves 21,000 customers and has relationships with over 2,200 channel partners.
Certicom, a subsidiary of BlackBerry and an industry pioneer in elliptic curve cryptography, announced a new offering that it contends will secure millions of devices, expected to be part of the growing Internet of Things (IoT) sphere.
The company said it has already won a contract in Britain to issue certificates for the smart meter initiative there with more than 104 million smart meters and home energy management devices.
The service will make it much easier for companies rolling out such devices to authenticate and secure them, the company said.
Separately, BlackBerry also outlined a plan to expand its research and development efforts on innovation and improvement in computer security.
The initiative is being dubbed BlackBerry Center for High Assurance Computing Excellence (CHACE).
Increased network and device security has become a huge focus for large North American corporations in the face of costly and damaging security breaches.
U.S. retailer Target Corp is still recovering from a major breach in 2013 in which 40 million payment card numbers and 70 million other pieces of customer data such as email addresses and phone numbers were stolen.
Michaels Stores, the biggest U.S. arts and crafts retailer, said last year it had suffered a security breach that may have affected about 2.6 million payment cards.
BlackBerry said the fail-then-patch approach to managing security risk has become a widely accepted practice, but through CHACE it plans to develop tools and techniques that deliver a far higher level of protection than is currently available.