The company launched an investigation in early May after receiving reports of unusual activity involving payment cards used at some of its stores. While it now has sufficient evidence to confirm an illegal intrusion, the company declined to comment on the breach’s scope until the forensics investigation is complete.
Sally Beauty is one of the largest retailers of beauty products in the U.S. and has over 4,500 stores.
In March last year, the company said hackers stole up to 25,000 customer records containing payment card data. According to the company’s annual report for 2014, attackers managed to install malware on some of its point-of-sale systems and captured “track 2″ card data.
Track 2 refers to one of the data tracks encoded on a card’s magnetic stripe. It contains the card’s number and expiration date and can be used by criminals to clone it.
“There can be no assurances that we will not suffer another cyber-attack or data security breach in the future and, if we do, whether our physical, technical and procedural safeguards will adequately protect us against such attacks and breaches,” the company said in its report.
The compromise of point-of-sale systems with memory-scraping malware has resulted in some of the largest card breaches over the past two years. The technique was used to steal 56 million payment card records from Home Depot last year and 40 million from Target in late 2013.
WordPress has issued a security fix after millions of websites were at risk of a bug that allows attackers to take control of a system.
Patched in the WordPress 4.2.1 Security Release, the fix was announced in an advisory by WordPress consultant Gary Pendergast just hours after the vulnerability was disclosed by a bug hunter.
“A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenters to compromise a site,” read the advisory.
“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those.”
Uncovered by Oy Jouko Pynnönen, a researcher at Finnish security company Klikki, the vulnerability is a cross-site scripting (XSS) bug that could allow a hacker to take over an entire server running the WordPress platform by changing passwords and creating new accounts.
Pynnönen knew about the bug for some time but decided to take it public because WordPress “refused all the communication attempts” he has made since November 2014.
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” explained Pynnönen in a blog post.
“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
The vulnerability is hijacked by injecting code into the comments section of the site, and then adding more than 64Kb of text.
“If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page,” he continued.
“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.”
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected, he added.
Security company Rapid7 said that the latest vulnerability is different to the usual throng of WordPress-based attacks which target the core WordPress CMS engine rahter than a particular plugin.
“While we see WordPress exploits fairly regularly, they are necessarily limited in scope to just those sites that have enabled the vulnerable plugin,” said Rapid7 engineering manager Tod Beardsley.
Defense contractor Raytheon is acquiring Websense, which it will combine with its own security unit to create a new, separately operated business to battle criminal networks and state-funded espionage.
Today’s Internet attacks “are becoming increasingly more sophisticated and are being perpetuated by state sponsored groups, criminal organizations, hacktivists and insiders,” said David Wajsgras, president of Raytheon intelligence, information and services business, in a conference call Monday announcing the acquisition. “Our goal is to provide defense-grade solutions that allow our customers defend against [attacks], detect them early, decide how to counter and defeat such attacks in real-time.”
Raytheon plans to spend $1.9 billion in a deal to get 80 percent ownership of the new business based on Websense. It will then create the new company by combining Websense with its own cyberproducts business unit, valued at approximately $400 million. Vista Equity Partners, Websense’s current owner, will purchase a 20 percent stake in the new, combined company, for approximately $335 million.
The joint venture will be a separately operated Raytheon business segment. John McCormack, current CEO of Websense, will serve as chief executive of the new business. The name of the new company will be disclosed when the deal closes, by the end of the second quarter, the companies said.
Websense’s Triton line of secure Web gateway products guard internal networks against malware, data theft and Internet-based snooping. The new company will combine Triton with Raytheon’s own SureView portfolio of security products, which can watch for unusual user activity, protect against known vulnerability attacks, and detect hidden anomalies using machine-learning technologies.
The two companies also have a complementary customer base. Raytheon has focused largely on serving U.S. defense agencies — it generated sales of $23 billion in 2014, which was mostly from large-scale systems work. Websense has a strong presence in the commercial enterprise market. It serves 21,000 customers and has relationships with over 2,200 channel partners.
Certicom, a subsidiary of BlackBerry and an industry pioneer in elliptic curve cryptography, announced a new offering that it contends will secure millions of devices, expected to be part of the growing Internet of Things (IoT) sphere.
The company said it has already won a contract in Britain to issue certificates for the smart meter initiative there with more than 104 million smart meters and home energy management devices.
The service will make it much easier for companies rolling out such devices to authenticate and secure them, the company said.
Separately, BlackBerry also outlined a plan to expand its research and development efforts on innovation and improvement in computer security.
The initiative is being dubbed BlackBerry Center for High Assurance Computing Excellence (CHACE).
Increased network and device security has become a huge focus for large North American corporations in the face of costly and damaging security breaches.
U.S. retailer Target Corp is still recovering from a major breach in 2013 in which 40 million payment card numbers and 70 million other pieces of customer data such as email addresses and phone numbers were stolen.
Michaels Stores, the biggest U.S. arts and crafts retailer, said last year it had suffered a security breach that may have affected about 2.6 million payment cards.
BlackBerry said the fail-then-patch approach to managing security risk has become a widely accepted practice, but through CHACE it plans to develop tools and techniques that deliver a far higher level of protection than is currently available.
“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).
With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.
This could explain why attackers have recently targeted U.S. health insurance providers. Last Tuesday, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. Last month, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack.
Both attacks exposed similar data, including names, Social Security numbers, birth dates, telephone numbers, member identification numbers, email addresses and mailing addresses. In the Premera breach, medical claims information was also accessed.
If the attackers try to monetize this information, the payout could prove lucrative.
Credentials that include Social Security numbers can sell for a couple of hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers, said Matt Little, vice president of product development at PKWARE, an encryption software company with clients that include health care providers. Credit card numbers, which go for a few dollars, tend to work only for a handful of days after being reported stolen.
Target is reportedly close to paying out $10m to settle a class-action case that was filed after it was hacked and stripped of tens of millions of peoples’ details.
Target was smacked by hackers in 2013 in a massive cyber-thwack on its stores and servers that put some 70 million people’s personal information in harm’s way.
The hack has had massive repercussions. People are losing faith in industry and its ability to store their personal data, and the Target incident is a very good example of why people are right to worry.
As well as tarnishing Target’s reputation, the attack also led to a $162m gap in its financial spreadsheets.
The firm apologized to its punters when it revealed the hack, and chairman, CEO and president Gregg Steinhafel said he was sorry that they have had to “endure” such a thing
Now, according to reports, Target is willing to fork out another $10m to put things right, offering the money as a proposed settlement in one of several class-action lawsuits the company is facing. If accepted, the settlement could see affected parties awarded some $10,000 for their troubles.
We have asked Target to either confirm or comment on this, and are waiting for a response. For now we have an official statement at Reuters to turn to. There we see Target spokeswoman Molly Snyder confirming that something is happening but not mentioning the 10 and six zeroes.
“We are pleased to see the process moving forward and look forward to its resolution,” she said.
Not available to comment, not that we asked, will be the firm’s CIO at the time of the hack. Thirty-year Target veteran Beth Jacob left her role in the aftermath of the attack, and a replacement was immediately sought.
“To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” said Steinhafel then.
“As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation.”
“Transformational change” pro Bob DeRodes took on the role in May last year and immediately began saying the right things.
“I look forward to helping shape information technology and data security at Target in the days and months ahead,” he said.
“It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests.”
We would ask Steinhafel for his verdict on DeRodes so far and the $10m settlement, but would you believe it, he’s not at Target anymore either having left in the summer last year with a reported $61m golden parachute.
Two Vietnamese men have been charged, with one pleading guilty, for hacking into eight U.S. email service providers and stealing 1 billion email addresses and other confidential information, resulting in what’s believed to be the largest data breach in U.S. history, the U.S. Department of Justice announced.
The attacks, running from February 2009 to June 2012, resulted in the largest data breach of names and email addresses “in the history of the Internet,” Assistant Attorney General Leslie Caldwell said in a statement. After stealing the email addresses, the defendants sent spam emails to tens of millions of users, generating US$2 million in sales, according to the DOJ.
Viet Quoc Nguyen, 28, of Vietnam, allegedly hacked into the email service providers, stealing proprietary marketing data containing more than 1 billion email addresses, the DOJ said. Nguyen, along with Giang Hoang Vu, 25, also of Vietnam, then allegedly used the data to send spam messages, the agency alleged.
The indictments of the two men were unsealed Thursday. On Feb. 5, Vu pleaded guilty in U.S. District Court for the Northern District of Georgia to conspiracy to commit computer fraud.
Vu was arrested by Dutch law enforcement in 2012 and extradited to the U.S. a year ago. He is scheduled to be sentenced on April 21. Nguyen remains at large.
In addition to the unsealing of the indictments, a federal grand jury returned an indictment this week against a Canadian citizen for conspiring to launder the proceeds obtained as a result of the massive data breach.
David-Manuel Santos Da Silva, 33, of Montreal, was indicted for conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the spam emails and launder the proceeds.
Uber found out about a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.
The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.
It’s in the process of notifying the affected drivers and advised them to monitor their credit reports for fraudulent transactions and accounts. It said it hadn’t received any reports yet of actual misuse of the data.
Uber will provide a year of free identity protection service to the affected drivers, it said, which has become fairly standard for such breaches.
The company said it had filed a “John Doe” lawsuit Friday to help it confirm the identity of the party responsible for the breach.
Chinese PC and mobile phone maker Lenovo Group Ltd acknowledged that its website was hacked, its second security blemish days after the U.S. government advised consumers to remove software called “Superfish” pre-installed on its laptops.
Hacking group Lizard Squad claimed credit for the attacks on microblogging service Twitter. Lenovo said attackers breached the domain name system associated with Lenovo and redirected visitors to lenovo.com to another address, while also intercepting internal company emails.
Lizard Squad posted an email exchange between Lenovo employees discussing Superfish. The software was at the center of public uproar in the United States last week when security researchers said they found it allowed hackers to impersonate banking websites and steal users’ credit card information.
In a statement issued in the United States on Wednesday night, Lenovo, the world’s biggest maker of personal computers, said it had restored its site to normal operations after several hours.
“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time,” the company said. “We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information.”
Lizard Squad has taken credit for several high-profile outages, including attacks that took down Sony Corp’s PlayStation Network and Microsoft Corp’s Xbox Live network last month. Members of the group have not been identified.
Starting 4 p.m. ET on Wednesday, visitors to the Lenovo website saw a slideshow of young people looking into webcams and the song “Breaking Free” from the movie “High School Musical” playing in the background, according to technology publication The Verge, which first reported the breach.
Although consumer data was not likely compromised by the Lizard Squad attack, the breach was the second security-related black eye for Lenovo in a matter of days.
Nearly half of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
The news comes in the same week that HP took a swipe at rival Lenovo for knowingly putting Superfish adware into its machines.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
The main recommendations of report are that network administrators should employ a comprehensive and timely patching strategy, perform regular penetration testing and variation of configurations, keep equipment up to date to mitigate risk, share collaboration and threat intelligence, and use complementary protection strategies.
The threat to security from the IoT is already well documented by HP, which released a study last summer revealing that 90 percent of IoT devices take at least one item of personal data and 60 percent are vulnerable to common security breaches.
The No. 2 U.S. health insurer said on Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem announced the warning about the email scam in a statement, saying they purport to come from Anthem and ask recipients to click on a link to obtain credit monitoring. Anthem advised recipients not to click on links or provide any information on any website.
The company said it will contact current and former members about the attack only via mail delivered by the U.S. Postal Service. It is not calling members regarding the breach and is not asking for credit card information or Social Security numbers over the phone.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach.
The insurer acknowledged that data accessed by hackers had not been encrypted, as is the normal practice at many companies.
“When the data is moved in and out of the warehouse it is encrypted. But when it sits in the warehouse, it’s not encrypted,” Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. “I think that is standard practice,” she added.
“How we managed our data in the warehouse has been appropriate,” Wakefield said. “No one has pointed a finger and said you did this wrong and this is why this happened.”
But Richard Marshall, a former senior cybersecurity defense expert at the U.S. National Security Agency, said the numbers should have been encrypted.
“Social Security numbers can be sold to people who are here illegally,” said Marshall, who now advises private security firms. “Identity theft is a major issue.”
Hundreds of thousands of websites running WordPress have been infected by a piece of malware called SoakSoak. Google has flagged more than 11,000 domains hosting a WordPress website as malicious.
Websites running a third-party plug-in called Slider Revolution are being hacked, and malicious code is being installed that will in turn infect those who visit the website. The developers of the plug-in, ThemePunch, have admitted that they knew about the vulnerability in February this year but kept quiet about it.
ThemePunch in developed 29 security fixes from February to September, resisting a public call for action because of a “fear that an instant public announcement would spark a mass exploitation of the issue”.
The company had hoped that most users would install these updates, solving the problem, but it now admits that this was “sadly not the case.”
“We as a team would like to apologize officially to our clients for the problems that arose due to the security exploit in Revolution Slider Plugin versions older than 4.2, ? it says on its website.
Short answer is that you have to upgrade everything that moves on your wordpress site or it will be toast.
Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive network breach that severely hindered its operations and exposed sensitive data, according to cybersecurity experts who have studied past breaches.
The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011 because it does not appear to involve customer data, the experts said.
Major costs for the attack by unidentified hackers include the investigation into what happened, computer repair or replacement, and steps to prevent a future attack. Lost productivity while operations were disrupted will add to the price tag.
The attack, believed to be the worst of its type on a company on U.S. soil, also hits Sony’s reputation for a perceived failure to safeguard information, said Jim Lewis, senior fellow at the Center for Strategic and International Studies.
“Usually, people get over it, but it does have a short-term effect,” said Lewis, who estimated costs for Sony could stretch to $100 million.
It typically takes at least six months after a breach to determine the full financial impact, Lewis said.
Sony has declined to estimate costs, saying it was still assessing the impact.
The company has insurance to cover data breaches, a person familiar with the matter said. Cybersecurity insurance typically reimburses only a portion of costs from hacking incidents, experts said.
More than a week after a massive cyber attack on Sony Pictures Entertainment, the Hollywood studio isstill struggling to restore some systems as investigators searched for evidence to identify the culprit.
Some employees at the Sony Corp entertainment unit were given new computers to replace ones that had been attacked with the rare data-wiping virus, which had made their machines unable to operate, according to a person with knowledge of Sony’s operations.
In a memo to staff seen by Reuters, studio co-chiefs Michael Lynton and Amy Pascal acknowledged that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
They are “not yet sure of the full scope of information that the attackers have or might release,” according to the memo first reported by Variety, and encouraged employees to take advantage of identity protection services being offered.
Their concern underscores the severity of the breach, which experts say is the first major attack on a U.S. company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.
Government investigators led by the FBI are considering multiple suspects in the attack, including North Korea, according to a U.S. national security official with knowledge of the investigation.
The FBI said Tuesday that it is working with its counterparts in Sony’s home country of Japan in the investigation.
That comes after it warned U.S. businesses on Monday about hackers’ use of malicioussoftware and suggested ways to defend themselves. The warning said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.