2014-unknown

Compromises in 2014 affecting an unknown number

01/01/2014 Skype

a business other than retail at One Microsoft Way Redmond, Washington
 
Happy New Year – Reuters reports that Skype internet calling service had been hacked by the Syrian Electronic Army who apparently posted this message on Skype’s official Twitter feed on Wednesday 1/1/2014.

Don’t use Microsoft emails (hotmail, outlook), They are monitoring your accounts and selling the data to the governments. More details soon. #SEA

The group also posted the contact information of Steve Ballmer, Microsoft Corp’s retiring chief executive, on its Twitter account along with this message:

You can thank Microsoft for monitoring your accounts/emails using this details. #SEA

Update: It appears the hack was to the social media used by Skype, not of the Skype service itself. According to a Skype spokesman:

“We recently became aware of a targeted cyber attack that led to access to Skype’s social media properties, but these credentials were quickly reset. No user information was compromised,” a Skype spokesperson said.

This non-financial information was compromised for one user, Skype. It may be that the SEA compromised more than one user, but only one had been publicly affected.

Article
http://www.reuters.com/article/2014/01/02/us-usa-syria-hack-idUSBREA0101X20140102
No User Information Compromised
http://www.ft.com/cms/s/0/1f7f68e0-732e-11e3-b05b-00144feabdc0.html#axzz2pGvxB9hc

 
01/02/2014 Straight Dope Message Board
a business other than retail at 350 Orleans Street, 10th Floor Chicago, Illinois
 
01/03/2014 Agency of Human Services
Government at 208 Hurricane Lane, Suite 103 Williston, Vermont  

01/07/2014 Risk Solutions International LLC, Loudoun County Public Schools
an educational institution at 21000 Education Court Ashburn, Virginia  

01/10/2014 Barry University
an educational institution at PO Box 6336 Portland, Oregon  

01/13/2014 Update Legal
a business other than retail at 100 California Street San Francisco, California  

01/15/2014 City of Burlington
City Government at City Hall, Room 20, 149 Church Street Burlington, Vermont  

01/17/2014 E-Benefits Department of Veteran Affairs
Federal Government in Washington, DC  

01/20/2014 Dartmouth-Hitchcock
a business other than retail at 1 Medical Center Drive Lebanon, New Hampshire  

01/21/2014 DHS Security portal compromised

A DHS web portal has exposed over 500 private documents submitted by over 100 organizations responding to a DHS S&T request for a new communications system. Some organizations had included bank information. The web portal is run by a company that provides similar services for other government departments including the FAA, DHHS, GSA, IRS, DOJ, NASA and others. More details are on DHS Portal compromise

01/21/2014 Spying Garbage Cans & Thieving Gas Pumps

There has been an indictment on a group that installed skimmers inside gas pumps in the New York area which stole more than $2M. This group appears to have also cracked machines in Georgia, South Carolina and Texas. How did they do it? A skimmer is a device that attaches to a card receiver such as those found at gas pumps and automated teller machines (ATMs). The skimmer can be external or internal.
 
Trash cans in the City of London were snooping on people throwing trash in bins. During and after the 2012 Olympic games some 200 bomb-proof bins with digital screens and wireless networking (WiFi) to display advertisements were installed. In June 2013 that shifted to scanning for smartphones and recording the unique media access control (MAC) to find the manufacturer. The same device could determine the distance from the trash bin. If the smartphone was stationary it would record for how long. If the smartphone was moving it would record in what direction and speed. In just one week these trash bins tracked over 4 million devices. There are diverse points of view. In August 2013 the City of London ordered that this ‘spy bin’ program cease.
 
See links and more on Spying Garbage Cans & Thieving Gas Pumps which also includes a good link to skimmers in general

 
01/23/2014 W.J Bradley
a Financial or Insurance Services firm at 6465 South Greenwood Plaza Blvd. Centennial, Colorado  

01/24/2014 St. Francis Hospita and Medical Centers
a healthcare provider or servicer at 114 Woodland Street Hartford, Connecticut  

01/24/2014 Coca-Cola Company
a retail business at One Coca-Cola Plaza Atlanta, Georgia  

01/27/2014 State Industrial Products
a business other than retail at 5915 Landerbrook Drive, Suite 300 Mayfield Heights, Ohio  

01/28/2014 Bring It To Me
a retail business at 4640 Cass Street San Diego, California  

01/30/2014 Yahoo Email

Yahoo email users may have had their accounts compromised. How many were undisclosed, but Yahoo provides 273 million email accounts around the world with 81 million of them for the United States. Yahoo has not disclosed how many wre affected. References and more details are available on the Yahoo email beach page.

 
01/30/2014 UC Davis Health System
a healthcare provider or servicer at 2315 Stockton Boulevard Sacramento, California  

01/31/2014 White Lodging Services Corporation

a retail business headquartered at 701 East 83rd Avenue Merrillville, Indiana

When: March 20, 2013 through December 16, 2013. Where: Affected locations include
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Marriott Midway, Chicago, IL
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Radisson Star Plaza, Merrillville, IN
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
 
Scope: Exposed data included names as printed on cards, card numbers, the security code and card expiration dates. Scale: Not disclosed.

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporation, which bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants. Krebs On Security

     2/03/2014 White Lodging provided no-charge ID protection and more. See FAQ.


02/05/2014 Oregon Secretary of State
Oregon state government is headquartered in Salem
The Oregon Central Business Registry and campaign finance reporting system (ORESTAR) were improperly accessed. The scale and scope of compromised information is unknown. (source) [ ed: these systems provide information to the public. Cui bono? Why access it criminally? ]

02/07/2014 Easter Seals of Superior California
a healthcare provider or servicer at P.O. Box 3825 Suwanee, Georgia  

02/07/2014 San Francisco Airport-South San Francisco Embassy Suites Hotel
a business other than retail at 250 Gateway Boulevard South San Francisco, California  

02/08/2014 Boston Scientific
a healthcare provider or servicer at One Boston Scientific Place Natick, Massachusetts  

02/08/2014 Medtronic
a healthcare provider or servicer at 710 Medtronic Parkway Minneapolis, Minnesota  

02/10/2014 Freeman
a Financial or Insurance Services firm at PO Box 660613 Dallas, Texas  

02/10/2014 Nielsen
a business other than retail at 85 Broad Street New York, New York  

02/11/2014 Bank of the West
a Financial or Insurance Services firm at 180 Montgomery Street San Francisco, California  

02/12/2014 Las Vegas Sands Hotels and Casinos
a business other than retail in Las Vegas, Nevada  

02/13/2014 Zevin Asset Management LLC
a Financial or Insurance Services firm at 50 Congress Street, Suite 1040 Boston, Massachusetts  

02/14/2014 Forbes.com
a business other than retail at 90 5th Avenue New York, New York  

02/14/2014 Experian
a Financial or Insurance Services firm at 475 Anton Blvd Costa Mesa, California

02/15/2014 Blue Shield of California
a business other than retail at 50 Beale Street San Francisco, California  

02/15/2014 Kickstarter
a business other than retail in Greenpoint, Brooklyn, New York  

02/20/2014 Alaska Communications
a retail business at 600 Telephone Avenue Anchorage, Alaska  

02/20/2014 Department of Resources, Recycling and Recovery
Government at 1001 I Street Sacramento, California  

02/21/2014 Discover Financial Services
a Financial or Insurance Services firm in Salt Lake City, Utah  

2/22/2014 Apple SSL/TLS fixed for iPhone and OS/x
See details

02/25/2014 Mt. Gox BTC Exchange

a Financial or Insurance Services firm somewhere in the internet

Update 8/1/2015 Mark Karpeles Arrested in Japan
The unexplained loss of BitCoins and cash worth nearly half a billion US dollars caused the Mt. Gox exchange to file for bankruptcy in 2014. In early August 2015, the Tokyo Metropolitan Police Department arrested the head of the exchange because they believed the 30 year old Karpeles had “unjustly inflated the balance” of an account by manipulating transaction records. “He created false information that $1 million had been transferred into the account, when in fact it had not been,” the police said. Karpeles, a French National, had not yet been charged (Japanese law allows for detention without charge for several weeks) indicated the reports were false and would be contested. More at NYTimes

05/26/2016 Update  Mt. Gox creditors seek trillions

In 2014 Mt. Gox, a major Bitcoin virtual currency exchange, went into bankruptcy after inflating its reported assets to more than $500 million. More than a year later the founder, a French national, was arrested in Japan. The claims against the bankrupt entity are just over $2.4 trillion dollars, the same rounded value as the Gross Domestic Product of France according to the 2015 International Monetary Fund (IMF) ranking. The number is empirically odd. On 4/8/2014 the price was $453/BTC. For the 12.6 million BTC in circulation at the time, that is a total value of about $5.7 billion.

On 5/25/2016 the bankruptcy trustee in Japan reported that just over $90 million in assets has been located. The cost for bankruptcy are over $50 million and there are over $400 million in approved claims. More at NY Times

[ There are several things that don’t add up. How many BTC were there in reality? How many were inflated by accounting antics? If all those BTC were there, where are they now? Did the founder, or someone else, take them? If the claims for $2.4 trillion are accurate, even by an order of magnitude, how did people believe they (collectively) had $240 billion in BTC when less than 10% of that existed at the time? Were they scam victims on such a scale that Madoff seems like pocket change? How many people were victimized? For $55 million in bankruptcy expenses I’d have hoped for more answers. -ed ]

02/26/2014 Apple
a business other than retail at 1 Infinite Loop Cupertino, California  

02/27/2014 Oak Associates Funds
a Financial or Insurance Services firm at P.O. Box 8092 Boston, Massachusetts  

02/27/2014 L.A Care Health Plan
a healthcare provider or servicer at 1055 West Street, 10th Floor Los Angeles, California  

02/28/2014 Sears
a retail business at 3333 Beverly Road Hoffman Estates, Illinois  

03/01/2014 Managed Med, A Psychological Organization
a healthcare provider or servicer in Los Angeles, California  

03/04/2014 Eureka Internal Medicine
a healthcare provider or servicer at 2280 Harrison Avenue Eureka, California  

03/04/2014 Assisted Living Concepts, LLC
a healthcare provider or servicer at 330 North Wabash Avenue, Suite 3700 Chicago, Illinois  

03/04/2014 Smucker’s
a retail business at 1 Strawberry Lane Orrville, Ohio
According to the company the compromised information could include name, address, email address, phone, charge card numbers, expiration dates and verification codes. The company notice  More from Krebs

03/04/2014 Capital One
a Financial or Insurance Services firm at P.O Box 30285 Salt Lake City, Utah  

03/05/2014 OANDA
a Financial or Insurance Services firm at 140 Broadway, 46th Floor New York, New York  

03/11/2014 City of Hope
a healthcare provider or servicer at 1500 East Duarte Road Duarte, California  

03/12/2014 NoMoreRack.com
a retail business at 381 Park Avenue South New York, New York
In August 2013 the Discover Card association indicated NoMoreRack.com was a likely point-of-compromise and requested NoMoreRack complete a forensics audit. Completed in October 2013 and, although a few minor bugs were reported, there was no “conclusive” evidence of a leak. In February 2014 Discover reported more compromised cards, all used on the company on-line store between November 1, 2013 and January 15, 2014. The company was PCI-compliant as a tier-2 processor, but has engaged a firm to do a tier-1 examination. Source

03/13/2014 Silversage Advisors
a Financial or Insurance Services firm at 19200 Von Karman Avenue, Suite 370 Irvine, California  

03/17/2014 Kichlerlightinglights.com
a retail business at 138 Bowery 2nd Floor New York, New York  

03/17/2014 Arcadia Home Care and Staffing
a healthcare provider or servicer at 20750 Civic Center Drive, Suite 100 Southfield, Michigan  

03/17/2014 ELightBulbs.com
a retail business in Maple Grove, Minnesota  

03/18/2014 The Shelburne Country Store
a retail business at 29 Falls Road Shelburne, Vermont  

03/18/2014 Yellowstone Boys and Girls Ranch (YBGR)
a healthcare provider or servicer in Billings, Montana  

03/20/2014 Auburn University
an educational institution in Auburn, Alabama  

03/20/2014 Marian Regional Medical Center
a healthcare provider or servicer at 1400 East Church Street Santa Maria, California  

03/21/2014 San Francisco Department of Public Health/Sutherland Healthcare Solutions
a healthcare provider or servicer in San Francisco, California  

03/21/2014 Castle Creek Properties, Inc./Rosenthal Wine Shop
a retail business at 18741 Pacific Coast Highway Malibu, California  

03/22/2014 California DMV

California Department of Motor Vehicles, a part of
State Government headquartered in Sacramento, California

Once again, a breach appears to have occurred and not been noticed until the stolen information became available for sale.

Who The CDMV appears to have compromised the charge cards used in on line services. Date Range A MasterCard alert indicated the affected transactions were from from August 2, 2013 to January 31, 2014, about six months. Scope Information exposed included the card number, expiration date, and three-digit security CVV code. Scale not disclosed. In a press release on January 7, 2013 [ http://www.dmv.ca.gov/pubs/newsrel/newsrel13/2013_01.htm ] the CDMV reported nearly 12 million online transactions during 2012.

More on the story from San Franciso Chronicle and security researcher Brian Krebs.

Update (the evening of the same day) CDMV issued a statement which stated that there was no breach of the CDMV systems, but an unnamed “external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.” Source On page 2 of a May 2010 Electronic Payment Acceptance Services Master Service Agreement (MSA), specifically Exhibit G–Agreement For Merchant Processing Services from the Department of General Services (16 page PDF)

In Exhibit G, the defined term “Contractor” means “Elavon, Inc., or its affiliates providing services hereunder.” Elavon‘s web site indicates they are a very large processor for airlines, restaurants, hospitality, retail, healthcare, the public sector (such as CDMV) and education. The scale potential is large.

CDMV has released this FAQ [ http://www.dmv.ca.gov/about/cc_faq.htm ] where NINE times in they stated “There is no evidence at this time of a direct breach of the DMV’s computer system.” [highlighting ours -ed] Also released was this Identity Fraud Fact Sheet.

Update (6/24/2014) What is a “direct breach”? What was the scale of the exposure? It appears that the three month investigation has been completed and “… neither DMV nor Evalon has filed a data breach notification with the California Attorney General’s Office as of June 24. Such notice is required whenever a breach involved more than 500 state residents.” Source. Also “The California DMV has confirmed that there was no breach of its systems. .. Elavon, who also denied any breach.” source

Update (7/29/2014) “Last month DMV quietly announced it had closed its investigation with no breach found despite the fact that law enforcement officials and several banks felt they’d pinpointed an intrusion. It remains unclear whether USSS is done with its own investigation into that case but a spokesman told idRADAR News “USSS does not have an comment on (DMV’s announcement).” When asked whether USSS was still investigating DMV’s payment processor Evalon, the reply was “USSS does not have any comment on Evalon.” according to a 7/29/2014 article in Military.com. “USSS” is the United States Secret Service.

So … what happened? Does any charge card provider have information on the number of cards exposed?
 
 
03/27/2014 Sorenson Communications and CaptionCall
a business other than retail at 4192 Riverboat Road Salt Lake City, Utah  

04/02/2014 California Correctional Institution
State Government at P.O Box 1031 Tehachapi, California  

04/03/2014 Cole Taylor Mortgage
a Financial or Insurance Services firm at PO Box 6336 Portland, Oregon  

04/07/2014 Heartbleed/CVE-2014-0160
This is a capability, not a specific exposure. The “Heartbleed” bug can expose anything that happens to be in memory. “Anything” includes content, passwords and fundamental encryption keys. See also 9/24/2014 Bash bug/CVE-2014-6271/Shellshock

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice? We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

Anyway to track the exploit? Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. Source [ some editing -ed ]

When First introduced in December 2011 and went widespread with OpenSSL release 1.0.1 on March 14, 2012. OpenSSL version 1.0.1g released April 7, 2014 fixes the bug.

See XKCD cartoons 1353 and 1354 for a most excellent explanation.

National Institute of Standards and Technology (NIST)
DHS National Cyber Security Division
United States Computer Emergency Readiness Team (US-CERT)
National Vulnerabilities Database
Vulnerability Summary for CVE-2014-0160

The NCSC-FI Advisory on OpenSSL Published April 4, 2014.

More from security researcher Brian Krebs


07/06/2016 Heartbleed  Update
Two years after Heartbleed was identified and a review of 50 million internet connected machines, more than 200,000 systems remain vulnerable. More at Data Breach Today

04/07/2014 American Express Company
a Financial or Insurance Services firm at 200 Vesey Street New York, New York  

04/08/2014 StumbleUpon
a business other than retail in San Francisco, California  

04/09/2014 Clinical Reference Laboratory
a healthcare provider or servicer at 8433 Quivira Road Lenexa, Kansas

04/11/2014 LaCie USA / Seagate

a retail business at 7555 SW Tech Center Drive Tigard, Oregon
LaCie makes hard drives and is owned by Seagate Technologies

In March 2014 LaCie was disclosed as a victim of Adobe’s 2013 Cold Fusion exposure.

Their response in March 2014?

Clive Over, director of corporate communications for LaCie owner Seagate, said [ in March 2014 ] the company has investigated the incident and has so far found no indication that any customer data was compromised in the attack.

“This week, the Company received information indicating a server hosting LaCie.com may have been maliciously targeted and possibly breached at some point during calendar 2013,” Over said in an emailed statement. “Privacy and security is of utmost importance to the Company, and we therefore took immediate action to investigate this matter as soon as we became aware of it. The Company has conducted a preliminary investigation and, at this time, we are not aware that company or third party information was improperly accessed. The Company is currently working closely with third party experts to do a deeper forensic analysis.” source [ highlighting ours -ed ]

Update (4/15/2014) A month after being told about it LaCie / Seagate acknowledges breach.

Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014 [ almost a year! ]. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.” source [ highlighting ours -ed ]

There are no details on the scale (how many consumers) of the exposure. Of course there is a class action [ http://www.consumerclassactionlawyers.com/lacie-data-breach.html ] lawsuit in progress.
 

04/14/2014 Wilshire Mutual Funds
a Financial or Insurance Services firm at PO Box 219512 Kansas City, Missouri  

04/22/2014 NCO Financial Systems Inc.
a Financial or Insurance Services firm at 507 Prudential Road Horsham, Pennsylvania  

04/22/2014 Snelling Staffing LLC
a business other than retail at 4055 Valley View Lane Dallas, Texas  

04/25/2014 Willis North America Inc.
a business other than retail at 26 Century Boulevard Nashville, Tennessee  

04/28/2014 AOL
a business other than retail at 770 North Broadway New York, New York

Hackers stole “a significant number” of email addresses, passwords, contact lists, postal addresses and answers to security questions, the company said in a blog post Monday. Anyone of the company’s 120 million account holders might be affected. Judging by AOL’s description of the incident, that total number could well be in the tens of millions. But AOL isn’t giving any details about the incident for now.

The situation leaves folks … feeling hopeless. Two weeks ago, she was approached by a few coworkers … who said she was spamming them from an AOL account she hadn’t used in years. Curious, she logged in and realized her account wasn’t sending anything. The situation soon grew worse. This was the account she [had] used to teach her public speaking class seven years ago — and her old students were now receiving a flood of one-line emails with questionable links to websites based in Russia and Thailand. [she] is overcome by embarrassment and the fear that an unsuspecting ex-student will think the emails are actually from her. “It’s disheartening,” she said. “I would hate for something to go off on their computer because of me.” … Anyone who receives suspicious email is directed to forward the message to AOL_phish@abuse.aol.com. CNN article [ highlighting ours – ed]

04/30/2014 Boomerang Tags.com
a retail business at PO Box 417 Pismo Beach, California  

05/01/2014 JCM Partners LLC
a business other than retail at PO Box 3825 Suwanee, Georgia  

05/05/2014 ground (ctrl)
a business other than retail at 120 K Street Sacramento, California  

05/06/2014 California Department of Child Support Services
State Government at P.O. Box 419064 Rancho Cordova, California  

05/07/2014 Green’s Accounting
a Financial or Insurance Services firm in Greenfield, California  

05/07/2014 Gingerbread Shed Corporation
a retail business at 918 South Mill Avenue Tempe, Arizona  

05/14/2014 University California Irvine
an educational institution at 501 Student Health Irvine, California  

05/19/2014 Lowe’s
a retail business at 1000 Lowe’s Boulevard Mooresville, North Carolina  

05/21/2014 Paytime Inc.
a business other than retail at 5053 Ritter Road Suite 100 Mechanicsburg, Pennsylvania  

05/22/2014 Bluegrass Community Federal Credit Union
a Financial or Insurance Services firm at 2321 Carter Avenue Ashland, Kentucky  

05/22/2014 San Diego State University
an educational institution in San Diego, California  

05/26/2014 AutoNation Toyota of South Austin
a business other than retail in Austin, Texas  

05/26/2014 Power Equipment Direct
a retail business at P.O. Box 3825 Suwanee, Georgia  

05/28/2014 Sharper Future
a healthcare provider or servicer at 5860 S Avalon Blvd Los Angeles, California  

05/28/2014 Precision Planting
a business other than retail at 23207 Townline Road Tremont, Illinois  

05/29/2014 Montana Health Department
a healthcare provider or servicer at 111 North Sanders Street Helena, Montana  

06/03/2014 Craftsman Book Company
a business other than retail at 6058 Corte del Cedro Carlsbad, California  

06/04/2014 National Credit Adjusters
a Financial or Insurance Services firm at P.O Box 303 Hutchinson, Kansas  

06/06/2014 Miami-Dade County
County Government in Florida  

06/07/2014 Walgreens
a retail business at 595 Piedmont Avenue NE Atlanta, Georgia  

06/10/2014 AT&T Mobility, LLC
a retail business at 13075 Manchester Road Des Peres, Missouri

06/11/2014 PF Chang’s

a restaurant chain headquartered at 7676 East Pinnacle Peak Road Scottsdale, Arizona
As of mid-September 2014, three months later, there has been no statement of the breach scale.

Another case of where the breach was not known until the stolen cards were made available for sale and noticed by security researcher Brian Krebs. Sample cards from that batch were from early March 2014 to mid May 2014 at P.F. Chang’s locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. Chang’s started in 1993 and as of January 2012 there were over 200 restaurants in North America (United States, Canada, and Mexico), Puerto Rico, Argentina, Chile and the Middle East.

Update (6/13/2014) Chang’s confirmed breach. Restaurants affected and dates of compromise are posted along with a FAQ. Some dates go back to as early as 10/19/2013.

Update (6/17/2014) A Compromised Account Management System (CAMS) alert to issuers (providers) of cards that some specific cards of theirs may have been compromised so those providers can take prompt action to reduce fraud and protect consumers. CAMS are private communications from Visa, MasterCard etc. More at Krebs

Update (8/04/2014) Update on Chang’s web site

We have identified certain P.F. Chang’s China Bistro branded restaurants in the continental United States where we believe certain credit and debit cards used during specified time frames may have been compromised, and we have posted a list of those restaurant locations and time frames below. No Pei Wei branded restaurants have been affected by this security compromise. We are committed to providing support and resources, including complimentary identity protection services, for all guests that may potentially be affected by the security compromise. Additional details can be found in the updated information posted on this page. Source [highlighting ours -ed ]

 
06/12/2014 IS&S
Information Systems & Supplies Inc. is an independent reseller of point of sale (POS) products sold by software vendor Future POS Inc. and are based in Vancouver, Washington. On June 12 they notified their customers of a remote-access compromise that may have exposed card data used at POS transactions between February 28, 2014 and April 18, 2014. Source

06/18/2014 The Metropolitan Companies
a business other than retail in New York, New York  

06/20/2014 Mount Olympus Mortgage Company
a Financial or Insurance Services firm in Irvine, California  

06/20/2014 UCDC, Washington Center
an educational institution at 1608 Rhode Island Avenue NW Washington, DC  

06/24/2014 Riverside County Regional Medical Center
a healthcare provider or servicer at 26520 Cactus Avenue Moreno Valley, California  

06/26/2014 Sterne, Agee & Leach
a Financial or Insurance Services firm at 800 Shades Creek Parkway, Suite 700 Birmingham, Alabama  

06/26/2014 Record Assist LLC
a business other than retail at P.O. Box 19686 Houston, Texas  

06/26/2014 Orange Public School District
an educational institution in Orange, New Jersey

Mainstream Extortion?

There has been a growth in extortion crimes that mix traditional forms (off-line) and modern on-line techniques. A recent article by security researcher Brian Krebs described several instances of extortion apparently modeled after the long running protection gambit. Clearly labeled “Notice of Extortion” letters were sent via the postal service to several restaurants. Unless the restaurants paid “tribute” of 1 bitcoin (about $560 at the time of the article) there was a threat of vandalism, harassment, and the new twist – a torrent of bad reviews, complaints to the Better Business Bureau, clogging the telephone lines with denial of service attacks, fake delivery orders, bomb threats, other negative publicity and poisoning of materials. The late penalty payment raised the price to 3 bitcoins.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope. This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector … that stuff works and isn’t hard to do.” Per Nicholas Weaver, researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. For more see

Perhaps foolishly sending the extortion letter thru the mail involved the United States Postal Inspection Service (USPIS) who made clear this is criminal activity. The USPIS is one of the oldest federal law enforcement agencies having been founded by Benjamin Franklin during his tenure as our nation’s first postmaster general by the Continental Congress in 1775.

If the printer used was a color laser then it might have a concealed fingerprint whose existence was exposed about 2008. You can check your own.

Sometimes the extortion threat is more like ransom. The shared database of some 650,000 customers of Domino’s Pizza in France and Belgium was compromised. The data contained names, addresses, telephone numbers, email addresses and passwords and crooks threatened to publish the data.

This is not a new crime. In 2013 the virus known as CryptoLocker Ransomware would infect a home or business computer and demand ransom to unlock it. (see How to Avoid) “CryptoLocker might be the best advertisement yet for cloud data storage systems. Johnny Kessel, a computer repair consultant with San Diego-based KitRx, has been urging clients to move more of their data to cloud services offered by Google and others. Kessel said one of his clients got hit with CryptoLocker a few weeks ago — losing access to not only the files on the local machine but also the network file server.” from a 2013 KOS article.

The downside of cloud storage is that the cloud is not immune from crime especially when hackers gain access to your credentials. One solution is to put backups of cloud storage not on the cloud, but off-line and out of the reach of crooks.

Crooks don’t only target small businesses. It was revealed in mid-2014 that in 2007 Nokia paid “millions of euros” to a crook for not publishing the app-signing keys of its Symbian operating system. With those keys malware could be branded “Symbian Signed” indicating a secured release.

The scale of these crimes may never be known as the victims, who are paying to keep information concealed, are not generally inclined to inform the police of the crime.
 
 
06/27/2014 Benjamin F. Edwards & Company
a Financial or Insurance Services firm at One North Brentwood Boulevard, Suite 850 St. Louis, Missouri  

07/01/2014 Vermont Health Exchange
a healthcare provider or servicer at 312 Hurricane Lane, Suite 201 Williston, Vermont  

07/02/2014 Goldman Sachs
a Financial or Insurance Services firm in New York, New York  

07/02/2014 Uxbridge School District
an educational institution at 21 South Main Street Uxbridge, Massachusetts  

07/03/2014 Watermark Retirement Communities
a business other than retail at 2020 W. Rudasill Road Tuscon, Arizona  

07/07/2014 Legal Sea Foods
a business other than retail at One Seafood Way Boston, Massachusetts  

07/08/2014 Aecom
a business other than retail at 555 South Flower Street Los Angles, California  

07/08/2014 The Houstonian Hotel, Club and Spa
a business other than retail at 111 North Post Oak Lane Houston, Texas  

07/08/2014 Heartland Automotive/Jiffy Lube
a business other than retail at 105 Decker Court, Suite 900 Irving, Texas  

07/08/2014 Park Hill School District
an educational institution in Kansas City, Missouri  

07/09/2014 US Office of Personnel Management
Federal Government at 1900 E Street NW Washington, DC  

07/11/2014 Boeing
a business other than retail in Seattle, Washington  

07/11/2014 University of Illinois, Chicago
an educational institution in Chicago, Illinois  

07/11/2014 Lockheed Martin
a business other than retail in Fortworth, Texas  

07/14/2014 Goodwill Industries International Inc.

a retail business headquartered in Rockville, Maryland

Goodwill Industries International, Inc. is a network of over 160 independent agencies in the United States, Canada and more than a dozen other countries. The fraud pattern of fraud on compromised debit and credit cards had been used at Goodwill stores in several states including Alabama, California, Colorado, Florida, Georgia, Illinois, Indiana, Kansas, Louisiana, Maryland, Missouri, North Carolina, New Mexico, Ohio, Pennsylvania, South Carolina, Tennessee, Virginia, Washington DC and Wisconsin.

Update: Goodwill reported that a third party vendor who operated the points of sale had been infected with malware allowing access some payment card data. About 10% of all members (a member may have one or more actual stores) used the same vendor and were impacted. There was no evidence of malware in internal systems. The breach may have started as early as February 10, 2013 and lasted until August 14, 2014. Their statement and the list of affected stores and contact numbers.

Update (9/16/2014) The third party vendor was identified as C&K Systems of Murrells Inlet, South Carolina who stated that their investigation found a specialized malware that was undetectable by their security software until 9/5/2014. More from security researcher Brian Krebs and a statement by C&K released on 9/15/2014.

[ed: If C&K were compromised for 18 months how many others are still compromised and don’t know it?]
 
 
07/14/2014 CNET
a business other than retail in New York, New York  

07/15/2014 Bank of The West
a Financial or Insurance Services firm at 180 Montgomery Street San Francisco, California  

07/15/2014 Atlantic Automotive Corporation/dba One Mile Automotive
a business other than retail at 1 Olympic Place Towson, Maryland  

07/15/2014 City of Encinitas/San Dieguito Water District
Local Governments in Encinitas, California  

07/16/2014 Douglas County School District
an educational institution at 620 Wilcox Street Castle Rock, Colorado  

07/17/2014 Freshology
a retail business in Burbank, California  

07/17/2014 Bank of America
a Financial or Insurance Services firm at 200 St. Paul Place Baltimore, Maryland  

07/22/2014 Vice.com
a business other than retail in Brooklyn, New York  

07/23/2014 Wall Street Journal
a business other than retail in New York, New York  

07/24/2014 TFA w/OTP defeated – Operation Emmental

As of mid 2014 this attack is targeting users in Austria, Switzerland, Sweden, and Japan defeating their Two Factor Authentication with One Time Passwords. More detail ….
 
 
07/28/2014 Backcountry Gear
a retail business at 1855 West 2nd Avenue Eugene, Oregon  

07/29/2014 Northern Trust Company
a business other than retail at 50 South LaSalle Street Chicago, Illinois  

07/30/2014 Lasko Group, Inc.
a retail business in West Chester, Pennsylvania  

07/31/2014 Recreational Equipment Inc. (REI)
a retail business in Kent, Washington  

07/31/2014 US-CERT re Backoff

United States Computer Emergency Response Team issued an alert. More details

08/05/2014 Vibram
a retail business in Concord, Massachusetts  

08/07/2014 San Mateo Medical Center
a healthcare provider or servicer at 222 West 39th Avenue San Mateo, California  

08/07/2014 University California Santa Barbara
an educational institution in Santa Barbara, California  

08/07/2014 Anderson & Murison
a Financial or Insurance Services firm at 800 West Colorado Blvd. Los Angeles, California  

08/12/2014 Freedom Management Group, LLC dba The Natural
a retail business at 175 Commerce Drive, Suite P Hauppauge, New York  

08/15/2014 Albertsons/AB Acquisitions LLC

a business other than retail in Boise, Idaho
(potentially huge, but number of compromises not released)
Hacked again on 9/29/2014

From Albertsons: Based on information we have at this time, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and our two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all impacted by this incident. [ http://www.albertsons.com/2014/08/ab-acquisition-llc-confirms-incident-involving-payment-card-data ] [highlighting ours -ed]

This event will only add to this sobering statistic: Half of American adults have been hacked this past year.

From CNN Money

 
08/19/2014 From Albertsons

AB Acquisition LLC is offering customers whose payment cards may have been affected 12 months of complimentary consumer identity protection services through AllClear ID. Customers may visit https://abacquisition.allclearid.com for further information about the incident and about complimentary consumer identity protection services being offered, or call AllClear ID at 1-855-865-4449 beginning at 2:00pm MT (4:00pm ET) on August 19, 2014.

Beginning August 19, you may call our toll-free customer information hotline at 1-855-865-4449 Monday through Saturday from 8:00am-8:00pm CT and a dedicated security professional will assist you in protecting your credit information. You can also reach out to us through Facebook www.facebook.com/albertsons or through our website www.albertsons.com.

From Albertsons

See also Jewel Osco notice and Chicago Tribune report.

08/15/2014 Supervalue

a business other than retail at 7075 Flying Cloud Drive Eden Prairie, Minnesota
See Albertsons above and SuperValue release dated 8/14/2014

08/18/2014 MeetMe, Inc.
a business other than retail in New Hope, Pennsylvania  

08/20/2014 The UPS Store

retail businesses in Arizona, California, Colorado, Connecticut, Florida, Georgia, Idaho, Illinois, Louisiana, Maryland, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Dakota, Tennessee, Texas, Virginia and Washington.

UPS discovered malware on its in-store systems at 51 of its locations in 24 states, just over 1% of the 4,470 franchises throughout the United States. Customers who had used their cards at affected locations from January 20 through August 11, 2014 may have been exposed. UPS is offering one year of no-charge identity protection and credit monitoring services to any customer who had used a credit or debit card at any of its affected store locations.

Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks. Only one-third of those experts said they did the kind of continuous database monitoring needed to identify irregular activity in their databases, and another 22 percent admitted that they did not scan at all. NY Times 8/20/2014 [ highlighting ours -ed]

Details on identity protection and affected locations are listed in this announcement and FAQ [ http://www.theupsstore.com/security/Pages/default.aspx ].

08/22/2014 ManagedMed Inc (A Psychological Corporation)
a healthcare provider or servicer in Los Angeles, California  

08/26/2014 Geekface LLC
a Non-Governmental Organization (includes non-profits) at P.O Box 1695 Pawcatuck, Connecticut  

08/26/2014 Long Beach Internal Medical Group
a healthcare provider or servicer in Long Beach, California  

08/26/2014 Imhoff & Associates, PC
a business other than retail in Los Angeles, California  

08/27/2014 Dairy Queen
a retail business headquartered in Edina, Minnesota
DQ confirms it was hit with BlackPOS after story was broke by security researcher Brian Krebs. Also “Dairy Queen Spokesman Dean Peters said franchisees, who operate most of Dairy Queen’s 6,300 stores, are not required to report fraud to headquarters.” More

08/28/2014 J.P Morgan Chase
a Financial or Insurance Services firm in New York, New York
[moved when size of compromise was determined -ed]

09/01/2014 Apple/iCloud
a business other than retail at 1 Infinite Loop Cupertino, California  

09/02/2014 Home Depot

As first reported by security researcher Brian Krebs multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

In an update by Krebs: several banks believe this breach may extend back to late April 2014 or early May 2014. The breach may include all 2,200 US Home Depot stores and perhaps the over 280 stores outside the U.S. including Canada, Guam, Mexico and Puerto Rico.

Again, the firsts notice of this breach was when an independent researcher saw the stolen information available for sale. There was no indication the compromised merchant even knew about it.

An undated statement from Home Depot

Reclassified from unknown to large and its own page.

9/04/2014 BOM ATM hacked

Two 14-year-olds found an old ATM operators manual online. Over a lunch hour, they went to an ATM of the Bank of Montreal (BOM) to test. Incredibly they were able to get into operator mode and their first guess at a password worked. Taking their information to the BOM’s Charleswood Centre branch on Grant Avenue their information was met with disbelief. With permission they returned to the ATM and printed documentation regarding money in the machine, how many withdrawals occurred that day, and how much it’s made off surcharges. Then they changed the surcharge amount to one cent and changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.” Article from 9/08/2014 Winnipeg Sun [ http://www.winnipegsun.com/2014/06/08/code-crackers—charleswood-teens-hack-into-grant-avenue-atm ]

9/16/2014 NC3 hit by ‘botnet attack

The NC3.mobi web site was temporarily shut down by its service provider as a security measure after rapidly repeating brute-force attacks. These attacks are not new. See 2013 article from Melbourne

The attack on NC3 was reportedly from IP 77.52.48.227. Why reportedly? IP addresses can be spoofed. 77.52.48 is generally from the Ukraine. The attack lasted less than the one minute of 1352 Eastern. It was terminated after 13 attempts from -227 and an attempt from 93.113.20.99, possibly Romania. After those attempts the hosting company automatically blocked access for everyone (including us!).

WordPress is content management software that make many aspects of web site creation easier (and some a little harder). It starts as a standardized installation and many non-technical people change as little as possible. This allows robots (‘bots), which are sometimes computers co-opted by criminals via a virus, to search out domains that use the default administration login at DomainName.TLD/wp-admin (ex: YourDomain.com/wp-admin) and, if they see the default login screen, they try brute force attempts at the default administrator account and common passwords.

To make WordPress a little less standard there are some simple things to do.

a) Disable the default admin user and create another user with admin authority

b) Use the HC Custom WP-Admin URL plug in that works with Settings | Permalinks to make the YourDomain.com/wp-admin no longer a valid URL. You create your own URL, use something meaningful (Death2EVILHackers) or fanciful (I-LoVeMyDoGs&U2). Log into WordPress by accessing the new admin URL, perhaps YourDomain.Com/CatsRuleTheWorld@1

It is beyond the scope of this site to provide technical support and we highly recommend our hosting company InMotionHosting. You don’t have to be their customer to read news about the WP login brute force attack, the how and why they disabled the WordPress login, or how to obtain, install, configure, and use the HC plugin.

9/18/2014 Torchmark

American Income Life is a subsidiary of Torchmark Corporation, a holding company specializing in life and supplemental health insurance, headquartered in McKinney, Texas.

Again, this apparent breach didn’t become public until the stolen records were offered for sale more than three months ago, on June 15, 2014. The company has yet to reveal the scope or scale of the compromise, but the stolen records appear to contain everything needed for successful identity theft. (source)

An unknown number of insurance applications containing personal information held by a Texas-based life insurance holding company may have been compromised in an apparent breach.

Torchmark Corporation told ABC News on Thursday that it was working with the FBI and the U.S. Secret Service on a criminal investigation. The company also intends to notify potentially affected customers.

The company declined to note when the breach began, whether it is contained and whether they have determined the source of the breach. A company spokesman said that the breach was “limited in scope,” but declined to provide figures of more detailed information. [Source [ http://www.kugn.com/common/more.php?m=58&ts=1411100727&article=78518B193FCF11E4B51EFEFDADE6840A&mode=2 ] ABC News highlighting ours – ed]

The Ponemon Institute reported that over 1.8 million people in 2013 were victims of medical identity theft.

9/23/2014 BMOHarris e/m-Banking Unavailable

Electronic and mobile banking at Bank of Montreal / Harris were unavailable since Monday 9/22/2014 because of “an internal technical glitch” and were back up by midday Tuesday 9/23/2014. The lack of specificity of the glitch infuriated customers one of whom wrote “This is completely unacceptable! You charge us an overdraft fee if we screw up and go over our balance. You screw up and make our account unavailable online … So how about $35 for every person every time they tried to log in today!” Another cited the Thursday 9/18/2014 $24B lawsuit filed against BMO as the reason that e/m-banking was made unavailable.

9/24/2014 Bash bug/CVE-2014-6271/Shellshock

Made public today, this refers to a capability, not an actual compromise.

Summary

Bash is part of many operating systems as a shell, a program that translates instructions from you to the operating system. Bash was found to have a vulnerability relating to how Bash evaluated certain specially crafted environment variables. This could allow an attacker to override or bypass restrictions to execute commands locally or over a network. Some services and applications allow remote and unauthenticated attackers to provide environment variables, which could allow them to exploit this issue. Bash is part of Unix/Linux (*nix) and those are part of a lot of things from Apple’s Mac (OS X 10.9.4) to automobiles, to Apache-based web servers, TelNet, ftp and to secure shell (SSH) connections. All are potentially vulnerable.

What does it mean to me?

Not all operating systems are part of conventional computers. “Embedded” operating systems can be included in very non-computer-ish things like your smart, internet accessible light bulb. Such a device generally looks for “extra” information like the name of the device, or what web browser is in use, or what operating system. If unauthorized access attempts can reach the device via this “extra” information they have successfully reached into your network. The crooks are now inside your system and can access all those “remote control” system that turn on lights, change the thermostat, control your monitoring web cams, all of which communicate over internet. This is why the exposure is labeled “catastrophic”.

*nix programs may use Bash to set environmental variables used during execution of other programs such as web servers executing CGI, email clients, provisioning audio or video files to external programs for display. Setting headers in web requests or using irregular Multi-Purpose Internet Mail Extensions (MIME). All of these can allow remote commend execution for the benefit of the hacker.

The vulnerability is still new and how many breaches have been already accomplished, if any. Like the Heartbleed bug discovered April 2014 the damage could be severe and unknown for months. The damage is expected to be “significant“.

9/29/2014 Apple Test

Mac users (Windows uses appear unaffected) can run a simple command line script to test for the vulnerability. From a command line, type or cut and paste this text:

    env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:

    vulnerable
     this is a test

If the system is unaffected (or already updated), the output will be:

     bash: warning: x: ignoring function definition attempt
     bash: error importing function definition for `x’
     this is a test

9/29/2014 Apple Updates

In response to CVE-2014-6271/Chazelas and CVE-2014-7169/Ormandy Apple has released Bash Updated 1.0 for OS X in three varieties. As of 9/29/2014 these updates must be installed manually not via “Software Update”. OS X  Lion  Mountain Lion  Mavericks   

After updating it is highly recommended you confirm the update was applied. Use this procedure:

  Open Terminal
  Execute this command > bash –version
    That is bash[space][dash][dash]version
    Some browsers display two short dashes as one long dash. Use two short.

If successful the version will be
OS X Lion  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
OS X Mountain Lion  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Mavericks   GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)

See Apple Security Updates for more information

Device Maker not exactly clear

9/25/2014 a consumer emailed the maker of the NEST Thermostat asking about the vulnerability of their device to the Bash bug. Compliments on their speedy reply, but less so on the nebulous content.

Re: is Nest vulnerable to the bash bug recently discovered in *nix?
From: MOD-Faris (Nest Employee)
Sep 25, 2014 3:41 PM (in response to [ consumer name redacted here -ed]
Hi [ consumer name ]
I’ve checked with our engineering, and Nest shouldn’t be vulnerable. To the best of our knowledge, no Nest devices (Thermostat or Protect) have ever been hacked remotely. Have a great day, Faris [ slightly reformatted -ed]

To which the consumer asked a very specific question.

Re: is Nest vulnerable to the bash bug recently discovered in *nix?
From [ consumer name ] (New Nester)
Sep 26, 2014 7:51 AM (in response to MOD-Faris)
Thanks Faris. Does the Nest thermostat run Linux?

Their reply didn’t say yes and it didn’t say no.

The thermostat’s software does use some open source software, you can find the list here: “Open Source Compliance” That’s all the information that I can provide about the Nest’s thermostat’s OS.

Tired of the non-answers, the consumer found this tar.gz file which indicated that Nest is using Linux which has Bash.

Update 11/04/2014

NEST Thermostat has an update expected this week. A CNET article says “There’s nothing too dramatic about any of the new features coming to Nest software version 4.3.” There is nothing in the article about Linux, let alone whether were was a Bash vulnerability or if such a vulnerability was fixed.

More as it arrives

References and more information

Scale Bash is “built into more than 70 percent of the machines that connect to the Internet.” HeartBleed went unnoticed for two years and infected about half a million machines. The Bash bug has been in existence for twenty two years. Source

Scope While HeartBleed can expose information, the Bash bug can be used to take over the entire machine and run commands and programs to the benefit of the hacker.

Time Range HeartBleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years.

For more see one public alert which labels this exposure “catastrophic.” Also the US-CERT alert which rates it high in severity, potential impact and exploitability, but low in terms of its complexity, meaning that it is easy for hackers to use. See also the Register (UK Biting the hand that feeds IT),  Reuters,   Akamai,  and Arstechnica which has a well documented and simple test for testing *nix system vulnerability. If you’re in the mood for a more complete and technical explanation read Troy Hunt.

Some devices on the Internet-of-Things didn’t need Bash to compromise WiFi networks. Read how your smart light may be exposing your credentials.

What is “Bash”?

Bash is the shell, or command language interpreter, for the GNU operating system. The name is an acronym for the ‘Bourne-Again SHell’, a pun on Stephen Bourne, the author of the direct ancestor of the current Unix shell sh, which appeared in the Seventh Edition Bell Labs Research version of Unix.

Bash is largely compatible with sh and incorporates useful features from the Korn shell ksh and the C shell csh. It is intended to be a conformant implementation of the IEEE POSIX Shell and Tools portion of the IEEE POSIX specification (IEEE Standard 1003.1). It offers functional improvements over sh for both interactive and programming use.

While the GNU operating system provides other shells, including a version of csh, Bash is the default shell. Like other GNU software, Bash is quite portable. It currently runs on nearly every version of Unix and a few other operating systems – independently-supported ports exist for MS-DOS, OS/2, and Windows platforms. Source [ highlighting ours -ed ]

9/29/2014 Supervalu / Albertsons hacked, again

AB Acquisition LLC, which operates Albertsons stores was notified by its IT services provider SUPERVALU of an attempted criminal intrusion seeking to obtain payment card information. They were hacked just two months ago in August 2014.

As of 10/02/2014 the exposure of information has not been confirmed

Supervalu runs over 1,300 Save-A-Lots stores, has 190 retail grocery stores under five different names including Cub Foods. In 2013 Supervalue sold Albertsons, Acme, Jewel-Osco, Shaw’s and Star Market chains to Cerberus Capital Management, but it still provides information technology services for those stores. Albertsons is a grocery chain with over 1080 stores and is headquarted in Boise, Idaho. It includes stores named ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market, Super Saver, and the United Family of stores: Amigos, Market Street and United Supermarkets.

When late August 2014 or early September 2014, malware was installed on networks that process credit and debit card transactions. Scope Potentially exposed were account numbers, card expiration dates and the names of cardholders. Scale The breach could affect

  Albertsons stores in California, Idaho, Montana,
    Nevada, North Dakota, Oregon, Utah, Washington and Wyoming

  Acme Markets stores in Delaware, Maryland, New Jersey and Pennsylvania

  Jewel-Osco stores in Illinois, Indiana and Iowa

  Shaw’s and Star Markets stores in
    Maine, Massachusetts, New Hampshire, Rhode Island and Vermont

Supervalue stores impacted August 27, 2014 and September 21, 2014 are believed (1 page PDF) only to include Cub Foods stores in Hastings, Roseville, Shakopee and White Bear Lake, all in Minnesota.

Company believes the malware did not affect, any of its Farm Fresh or Hornbacher’s stores, any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the Company through its Independent Business network (other than the affected Cub Foods franchised stores).

9/29/2014 Supervalue statement  Albertsons statement [ http://www.albertsons.com/2014/09/ab-acquisition-llc-announces-discovery-of-separate-criminal-incident-involving-payment-card-data-processing ] which includes information on no-charge identity protection. Echoed at Jewel/Osco

9/29/2014 Associated Press (AP) article [ http://bigstory.ap.org/article/99d48b74d22c4f84a511c3564b12e59c/supervalu-albertsons-disclose-new-data-breach ]

10/01/2014 Your Flashlight App

Your smart phone flashlight app may be doing a heck of a lot more than lighting the way, it may be copying publishing your information.

The story from SnoopWall, the Snoopwall Flashlight Apps | Threat Assessment Report: Summarized Privacy and Risk Analysis of Top 10 Android Flashlight Apps by SnoopWall mobile security experts and the Privacy App scanner research paper (5 page PDF) and a video showing how to uninstall other flashlight apps. This same page has a link to a replacement flashlight app without spyware, without ads, is under 80kb, and at no-charge.

10/06/2014 Flinn Scientific, Inc. a retail business in Illinois  

10/07/2014 Essex Property Trust a retail business in California  

10/07/2014 SELF Loan a retail business in Minnesota  

10/07/2014 Novant Health Gaffney Family Medical Clinic a healthcare provider or servicer in South Carolina  

10/07/2014 UIllinois Holdings Corporation a retail business in Connecticut  

10/07/2014 Gambling Bug

This bug made some rich, but the gambling addicts got greedy, then they got noticed, then they got busted. How many just made a few bucks at a time and profited unseen?

Like the Bash bug that went undetected for years, this one appears to have debuted in 2002 and wasn’t detected until 2009. “ … a series of subtle errors in program number G0001640 that evaded laboratory testing and source code review. The bug survived like a cockroach for the next seven years. It passed into new revisions, one after another, ultimately infecting 99 different programs installed in thousands of IGT machines around the world.”

“The key to the glitch was that under just the right circumstances, you could switch denomination levels retroactively. That meant you could play at 1 cent per credit for hours, losing pocket change, until you finally got a good hand—like four aces or a royal flush. Then you could change to 50 cents a credit and fool the machine into re-awarding your payout at the new, higher denomination.”

So … is it still gambling when the house (which controls the odds) gets taken by an observant sucker who exploits a weakness? Gambling or not, is it legal? Were they convicted? Actually, no. See the excellent and entertaining Wired article for why not.

10/08/2014 MBIowa Inc. a retail business in New York  

10/09/2014 Dairy Queen

a retail business headquartered in Edina, Minnesota

International Dairy Queen, Inc. today confirmed that the systems of some DQ® locations and one Orange Julius® location in the U.S. had been infected with the widely-reported Backoff malware that is targeting retailers across the country. The company previously indicated that it was investigating a possible malware intrusion that may have affected some payment cards used at certain DQ locations in the U.S. Upon learning of the issue, the company conducted an extensive investigation and retained external forensic experts to help determine the facts. Because nearly all DQ and Orange Julius locations are independently owned and operated, the company worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue. The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at some locations. (source: DQ press release, see below, highlights ours -ed ]

What Between early August 2014 through early October 2014 it appears Backoff compromised 395 stores of the 4,500+ in the DQ family. Scale The number of compromised consumers has not yet been revealed. Scope Customer names, card numbers and card expiration dates may have been harvested.

Dairy Queen is getting the word out. Here is a press release, a letter from the president, a FAQ, a list of affected stores and their windows of exposure, and more information including the offer of one year of AllClear ID at no cost. Affected customers may call 1-855-865-4456 for more information.

Unfortunately this is another case of the company apparently not knowing it had been breached until after financial services organizations reported DQ being the nexus for a flurry of compromised cards.

8/26/2014 security researcher Brian Krebs reported: “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.” (source) [ highlighting ours -ed]

8/28/2014, two days later: “A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions.” DQ confirmed the breach six weeks after KOS reported it.

The company reported “early August” as the earliest possible compromise. Per Krebs: “… the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014.” So which is it???

10/10/2014 Update – source found

From security researcher Brian Krebs

“… Dairy Queen said its investigation revealed that the same third-party point-of-sale vendor was used at all of the breached locations, although it declined to name the affected vendor. However, multiple sources contacted by this reporter said the point-of-sale vendor in question was Panasonic Retail Information Systems.

In response to questions from KrebsOnSecurity, Panasonic issued the following non-denial statement:

“Panasonic is proud that we can count Dairy Queen as a point-of-sale hardware customer. We have seen the media reports this morning about the data breaches in a number of Dairy Queen outlets. To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide. Panasonic stands ready to provide whatever assistance we can to our customers in resolving the issue.” [highlighting ours -ed]

10/10/2014 Attention K-Mart Shoppers

Sears Holdings Corporation (SHC) is the parent company of Kmart Holding Corporation (“Kmart”) and Sears, Roebuck and Co. SHC is headquartered in Hoffman Estates, Illinois

In an SEC filing (Form 8-K, Item 8.01 Other Events) yesterday, and made public today, SHC reported that “On October 9, Kmart’s Information Technology team detected Kmart’s payment data systems had been breached and immediately launched a full investigation working with a leading IT security firm. The investigation to date indicates the breach started in early September. According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. Kmart was able to quickly remove the malware. However, Kmart believes certain debit and credit card numbers have been compromised. Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that kmart.com customers were impacted.”

Scope Debit and Credit Card Numbers. [ed: rather odd that just the numbers were compromised without at least the expiration date] Scale Number of compromised consumers is unknown.

K-Mart issued a press release on 10/10/2014. [editorial comment: Discovered yesterday, made public today. Fastest release of information I can recall. Certainly not complete, but getting the news out there quickly, and on a Friday too. ]

10/12/2014 Public WiFi Dangers

An engaging read for anyone who ever uses a public WiFi network that has a great opening line striking fear all around.

“We took a hacker to a café and, in 20 minutes,
he knew where everyone else was born,
what schools they attended, and
the last five things they googled.”

Read how he suckered people into connecting to HIS network. All traffic gets routed to the public network via his computer so all the traffic is read by his machine.

“ … some more hacker tricks. Using an app on his phone, he is able to change specific words on any website. For example, whenever the word “Opstelten” (the name of a Dutch politician) is mentioned, people see the word “Dutroux” (the name of a convicted serial killer) rendered on the page instead. We tested it and it works. We try another trick: Anyone loading a website that includes pictures gets to see a picture selected by Slotboom. This all sounds funny if you’re looking for some mischief, but it also makes it possible to load images of child pornography on someone’s smartphone, the possession of which is a criminal offense.”

“Another trick that Slotboom uses is to divert my internet traffic. For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts.

[ much more at the original site or the mirrored site. Highlighting ours -ed ]

10/14/2014 CVE 2014-4114 / SandWorm

iSight and Microsoft announced a vulnerability (CVE 2014-4114 dubbed “SandWorm”. The CVE was reserved on 6/12/2014 by a researcher who included this description:

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a “Sandworm” attack in June through October 2014, aka “Windows OLE Remote Code Execution Vulnerability.”

In an interesting twist, Windows/XP is not affected. The National Vulnerability Database gives an Impact CVSS Severity (v2.0) score of 9.3 (high).

The problem centers around the OLE packager which can download and execute INF files that may contain malicious commands. OLE is central to sharing information between applications. This vulnerability gives new emphasis to the phrase Death By Powerpoint. It was uncovered during an analysis of attacks against NATO.

Russians hackers have exploited a zero-day vulnerability in Microsoft Windows to hijack and snoop on PCs and servers used by NATO and the European Union, says security biz iSight.

The software flaw is present in desktop and server flavors of the Redmond operating system, from Vista and Server 2008 to current versions. No patch for the hole exists yet, but is expected to be fixed in today’s Patch Tuesday update from Microsoft.

iSight has dubbed the vulnerability (CVE-2014-4114) “SandWorm”, and this one looks to be as terrible as Shai-Hulud in full cry: the security biz says the hole was “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.”

According to iSight, “an exposed dangerous method vulnerability [CVE-2014-4114] exists in the OLE package manager in Microsoft Windows and Server” that “allows an attacker to remotely execute arbitrary code.”

“The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files,” iSight writes. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”

“This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands”.

Sight says it spotted the flaw while analysing “Tsar Team”, a group of chaps suspected of being Russian cyber-espionage operatives, and in late August “discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization” during the NATO summit on the Ukraine crisis staged in Wales.

“On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012,” iSight writes.

A weaponized PowerPoint document was observed in these attacks.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree.”

iSight says it contacted all the impacted parties and has since worked with Microsoft on a fix that should land today.

And in case you’re wondering about the name and the Dune reference in the logo, iSight says the exploit’s code contains several references to Frank Herbert’s classic.

Source [ emphasis ours -ed ]

[ We’re not in favor of romanticizing or personalizing vulnerabilities such as HeartBleed or Shellshock as it can be exploited by manipulative pundits to generate fear. These problems (over 65,000 in the CVE database as of 10/1/2014) are frightening enough. Having said that, the SandWorm graphic and phrase shown the Register (Biting the hand that feeds IT) article is quite clever. -ed ]

10/14/2014 Multiple Financial Services Financial Firms a Financial or Insurance Services firm in US  

10/14/2014 Aquarian Water Company / Dworken, Hillman, LaMorte a retail business in Connecticut  

10/14/2014 Kmart a retail business in Illinois  

10/14/2014 Office of Dr. Pramod Raval (now deceased) a healthcare provider or servicer in Michigan  

10/14/2014 Valeritas a healthcare provider or servicer in New Jersey  

10/14/2014 Cyberswim, Inc. a retail business in Pennsylvania  

10/14/2014 Evolution Store a retail business in New York  

10/14/2014 SSL 3.0 Vulnerable

There is a problem in the design of version 3.0 of the Secure Sockets Layer (SSL) known as Padding Oracle On Downgraded Legacy Encryption (dubbed “POODLE”). SSL has been in widespread service for almost 15 years. It is used in protecting data transmitted over the internet as part of the Hyper Text Transfer Protocol Secure (HTTPS, see how it works) used by applications that need security, the most common being banking. Because it is a design problem any application that adhered to the standard is affected. That means almost any browser is affected including Pale Moon, Firefox, Chrome, and Internet Explorer.

SSL has a more modern successor the Transport Layer Security (TLS see how it works) with two layers. One allows connection security with encryption methods, but encryption is not required. TLS is not affected by this vulnerability, but network communications errors, either due to bugs in the HTTPS host or caused by miscreants can cause TLS to fall back to the 15-year old SSL 3.0 thus allowing exploitation of the SSL vulnerability.

SSL 3.0 was deprecated (determined to be vulnerable) more than a decade ago. It has been reported that the next iteration of SSL was renamed to TLS with version number 1.0 to disassociate the TLS product completely from the earlier SSL. Or, perhaps because Netscape created SSL in 1994 and another browser maker insisted on a name other than SSL 4.0 because they hated Netscape.

What does this mean to you?
“… while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages. These are two examples — they really have near complete control over your accounts.” Source

What can you do?
The solution is to disable SSL (all versions) so that if TLS (any version) has problems the fall back programming won’t be able to fall back to SSL. The downside is that the communications session in progress will then fail.

A communications session has two sides: the server (host) and the browser. Disabling SSL in hosts (servers) can disconnect too many users who still use Microsoft’s decade-old Internet Explorer Version 6. Some hosts have decided to sacrifice those users until they upgrade.

Here are two ways to stop browsers from using SSL:
  Chrome: use the command-line flag –ssl-version-min=tls1
  Firefox:  set security.tls.version.min to 1.
(source)

References
For more on POODLE and other solutions for users see Imperial Violet which has been very busy recently.

From Google Security Research This POODLE Bites: Exploiting The SSL 3.0 Fallback (4 page PDF) and a related article.

Update 11/05/2014

For users – there is a very easy test at www.PoodleTest.com which will test your browser for vulnerability. If vulnerable you’ll see words and an image of a gray poodle. If not, then you’ll see words and a Springfield Terrier. On the same page is browser specific information and links to more information. For server operators – try www.PoodleScan.com  Reiterating the “horse’s mouth”: see MITRE’s database on common vulnerability and exposure 3566 in 2014. Thanks to Gregg of RICIS Inc. for the links.

Update 12/11/2014

On December 8, 2014 researchers found that the same POODLE flaw also extends to certain versions of a widely used encryption standard, Transport Layer Security (TLS). Those who thought they might have fixed the weakness need to test again.

Here is a test from SSL Labs. Using that test these large financial institutions are vulnerable: Bank of America, Chase.com, Citibank, HSBC, Suntrust, Fidelity.com and Vanguard. Links to the test results are available via the Krebs on Security report.

10/16/2014 Ebola Phishing

US-CERT alert:  Ebola Phishing Scams and Malware Campaigns “US-CERT reminds users to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system.”

10/24/2014 NYT Article

“Trustwave, a private security and compliance consulting company, discovered several Ebola-themed threats…. One email purporting to be from the World Health Organization included a bogus file that claimed to include Ebola safety tips. Once downloaded, the file dropped a program onto the victim’s machine that evaded antivirus defenses. The program can do everything from grab shots off the victim’s webcam, record sounds from their computer’s microphone, take control of their desktop remotely, modify and upload files and steal passwords.” [ more and sample images of the fake notices available at the source -ed ]

Emails reportedly from the World Health Organization (WHO) and a Health Advisory from the Government of Mexico are delivery vehicles for malware of the worst sort. Other less malicious emails contain subject lines designed to anger the reader and get them to click on a link. Some of those headlines are “You won’t believe what Obamacare & Ebola have in common” and “First GMO foods, now Ebola. What Obama doesn’t want you to know”.

10/20/2014 Staples

12/19/2014 Stapes released information, moved from unknown. See the details.

10/20/2014 Sourcebooks, Inc. / PutMeInTheStory a retail business in Illinois  

10/20/2014 National Domestic Workers Alliance a retail business in New York  

10/20/2014 Warren County Public Schools an educational institution in Kentucky  

10/20/2014 City of Algood State or Local Government in Tennessee  

10/20/2014 Metro Health Department State or Local Government in Tennessee  

10/20/2014 Marquette University an educational institution in Wisconsin  

10/20/2014 Spartanburg Area Mental Health a healthcare provider or servicer in South Carolina  

10/21/2014 AT&T a retail business in Texas  

10/21/2014 DHHS / Indian Health Service Federal government in US  

10/21/2014 Advantage Funding Company a Financial or Insurance Services firm in New York  

10/27/2014 Medi-Waste Disposal a healthcare provider or servicer in Nebraska  

10/28/2014 www.sinclairinstitute.com a retail business in North Carolina  

10/28/2014 American Soccer Company, Inc. / SColoradoRE a retail business in California  

10/28/2014 Reeves International / Breyer Horses a retail business in New Jersey  

10/28/2014 Arkansas State University-Beebe an educational institution in Arkansas  

10/28/2014 Fidelity National Financial a Financial or Insurance Services firm in Georgia  

11/05/2014 WireLurker

PaloAltoNetworks, in a brief article, describes WireLurker as malware for Mac OS and iOS systems. It is characterized by a large infection footprint, attacks iOS devices via OS X and universal serial bus (USB) connectivity, replicates its own code and (like a traditional virus) infects installed iOS applications, abuses Apple’s Enterprise Provisioning (even if the user is not part of an enterprise) and iTunes protocols to propagate to other devices whether fresh-from-the-box or jailbroken.

Once an OS X computer infected WireLurker detects any iOS device connecting via USB and copies either third-party applications or automatically generated malicious applications. Once infected the information in the device may be compromised. The infected device communicates with a control server for updates and deliver information.

Use this direct link to the whitepaper, a 32 page PDF. See Figure 5 on page 6 for a flowchart of how WireLurker operates. Or, read this less technical report from Jonathan Zdziarski, via his blog. It describes what happened and makes several recommendations including being able to disable Enterprise Provisioning when the user is not part of an enterprise.

Test your device

To test your device for WireLurker, cut-and-paste a provided script using the Terminal program. Don’t count on your anti-virus software to protect you. 50+ virus detection systems failed to detect WireLurker per Figure 31, page 28 of the PaloAltoNetwork whitepaper.

Test your internet traffic

There is only one known C2 host. If your server displays traffic to or from that host then investigate your devices for one, or more, compromised with WireLurker. That C2 host name is www dot come{NoSpace}in{NoSpace}baby dot com. There is no space where it says {NoSpace}. The name was altered from the proper presentation so this site does not appear on search engines.

Detection, Propagation and Purpose

What came to be called WireLurker was initially detected and reported on 6/01/2014 by a developer for Tencent, Inc. China’s largest and most used Internet service portal. A discussion thread was created several days later and others reported seeing anomalous generation and operation of unknown applications. A version was found to date as of 4/30/2014 and three versions have been found based on a URL parameter inside the code. WireLurker’s initial vector may have been infecting almost 500 applications on a Mac application store in China. Those applications were downloaded over 350,000 times impacting an unknown number of users. It may be that the C-version is devoted to spreading the infection and another version will indicate the intent beyond exposing the unit’s serial number, phone number, model number, device type and version name, the user’s Apple ID, UDID, Wi-Fi address, and disk usage information per page 17 of the PaloAltoNetworks whitepaper.

USB vulnerabilities known

Proof of concepts for attacking fresh-from-the-box iOS devices over USB connections have been available for a while. On May 4, 2013 Mathieu Renard showed how a USB device can install applications on iOS devices during a presentation at Hackito Ergo Sum May 2-4, 2013. Specific links to Renard’s presentation (33MB MP3 and the 54 page 1.9MB PDF) A page with links to the all the presentations at the 2013 event.

11/07/2014 Update: Apple Responds

According to The Register (a UK publication whose slogan is Biting the hand that feeds IT) Apple revoked the cryptographic certificate that the malware had used to convince iOS devices that the malware was a trusted-service and allowing the installation of malware code. So, iOS devices will (should) reject any programming code dependent on that certificate. This is a temporary fix as WireLurker can still read from iPhones or iPads without the certificate. Also replacement certificates could be placed inside the code. Also – the C2 server name above appears to no longer be available, but given that WireLurker is multigenerational malware, the next version could connect to another server.

11/10/2014 Update: Apple says

Apple reports that Masque and WireLurker only affect those Mac and iOS users who bypass their security systems, by jailbreaking an iOS device; by disabling the protections of Mac OS X’s GateKeeper; or by choosing to “Trust” app installs that iOS identifies as being from an “Untrusted App Developer.”

11/03/2014 Backcountry Gear #2` a retail business in Oregon  

11/03/2014 VA Montana Health Care System Military in Montana  

11/03/2014 Capital One A bank in Virginia  

11/03/2014 Meade School District an educational institution in South Dakota  

11/03/2014 Montgomery Obstetrics & Gynecology a healthcare provider or servicer in Virginia  

11/03/2014 Datapark / ABM Parking Services Inc. a retail business in Ohio  

11/03/2014 Henry & Rilla White Foundation a retail business in Florida  

11/07/2014 Home Depot / Emails a retail business in Georgia  

11/10/2014 Palm Springs Federal Credit Union a Financial or Insurance Services firm in California  

11/10/2014 One Love Organics a retail business in Georgia  

11/10/2014 Masque Attack

Soon after the 6/1/2014 discovery of WireLurker, mobile security researchers at FireEye discovered another iOS application that abused the enterprise provisioning feature which could replace an authentic installed application. In July they named this a “Masque Attack”. All applications except those installed with iOS are vulnerable. The malware replaces the application, but does not remove the original application’s local data. So Masque could replace your banking application and have access to your banking credentials. Similarly, if Masque replaced your email program it has access to your email stores including trashed, but not-yet-purged, emails.

The vulnerability exists on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and new-in-the-box devices. The attack vector can be thru USB connections (as WireLurker) or wireless networks. These infected applications are very difficult for users to detect. Information can be extracted from the iOS device and transmitted to another host.

See this [ www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html ] 3m 06s video from FireEye. The same page has more information and recommendations. The same video is also available via YouTube.

Apple says

Apple reports that Masque and WireLurker only affect those Mac and iOS users who bypass their security systems, by jailbreaking an iOS device; by disabling the protections of Mac OS X’s GateKeeper; or by choosing to “Trust” app installs that iOS identifies as being from an “Untrusted App Developer.”

11/11/2014 Microsoft TLS/CVE-2014-6321
In security bulletin MS14-066 Microsoft disclosed a critical vulnerability that can allow unauthorized access to a system enabling remote code execution. More specifically: the Microsoft secure channel (schannel) component that implements the secure sockets layer (SSL) and transport layer security (TLS) protocols fails to filter specially formed packets allowing attackers to execute malware by sending malicious traffic to a Windows-based server. Users or system administrators who monitor internet ports (such as hosting an FTP server) are exposed. Both should install a patch released Tuesday 11/11/2014. Except for Windows XP this flaw exists in virtually all versions of Windows. The bulletin cited above has a list. A less technical article from arstechnica. Together with Heartbleed/CVE-2014-0160 from 4/07/2014 and other compromises every major TLS functionality has been compromised this year. Some were relatively benign allowing bypasses of encryption protection, while others allow data access and the execution of malware.

12/05/2014 Bebe Stores
Once again the breach of a national retailer was discovered, not by the retailer, but an independent security researcher who found stolen credit and debit card data for sale on the web. Read more.

11/14/2014 Chino Latino / Burger Jones a retail business in Minnesota  

11/18/2014 Merchants Capital Access a retail business in New York  

11/18/2014 Nova Southeastern University an educational institution in Texas  

11/18/2014 Alliance Workplace Solutions a retail business in Illinois  

11/18/2014 West Publishing Corporation a retail business in Minnesota  

11/18/2014 Eastern Iowa Airport a retail business in Iowa  

11/18/2014 EZ Prints, Inc. a retail business in Georgia  

11/21/2014 Amgen a healthcare provider or servicer in California  

11/25/2014 Carrington of Champion Forest a retail business in Texas  

11/25/2014 Regional Transportation District a retail business in Colorado  

11/25/2014 Duluth Pack a retail business in Minnesota  

12/02/2014 Holiday Motel a retail business in Vermont  

12/02/2014 Godiva Chocolatier, Inc. a retail business in US  

12/02/2014 Shutterfly / tinyprints a retail business in California  

12/02/2014 SP Plus a retail business in Illinois  

12/02/2014 Simms Fishing Products a retail business in Montana  

12/02/2014 State Compensation Insurance Fund a retail business in California  

12/05/2014 Bebe Stores a retail business in California  

12/09/2014 Novo Nordisk, Inc. a healthcare provider or servicer in New Jersey  

12/09/2014 Calypso St. Barth a retail business in New York  

12/09/2014 University of Oklahoma Health Sciences Center / Colle an educational institution in Oklahoma  

12/09/2014 Stephen Phillips Memorial Scholarship Fund a retail business in Massachusetts  

12/09/2014 e-conolight a retail business in Arizona  

12/09/2014 Pacific Supply Company (Experian) a retail business in California  

12/09/2014 Blue Mountain Community Foundation a retail business in Washington  

12/09/2014 Provider exposed 5 years
Who: CHARGE Anywhere, LLC is a provider of electronic payment gateway solutions to merchants with offices in New Jersey and Florida. The are a global provider of mobile, cloud and integrated payment applications.

What: CHARGE Anywhere was asked to investigate after fraudulent charges appeared on cards that had been otherwise properly used at certain merchants. Malware, undetected by any anti-virus software, had captured parts of outbound network traffic. Much of that traffic was encrypted, but the crooks were eventually able to access to plain text payment card transaction authorization requests.

When: The malware was discovered September 22, 2014. Network traffic from August 17, 2014 through September 24, 2014 was identified. Although only five weeks of data were identified it is possible that the unauthorized person who planted the malware had the ability to capture network traffic as early as November 5, 2009 for an exposure of almost five years.

Scope: Compromised information can include customer name, card number, expiration date and verification code. Scale: No information as to how many consumers or merchants were exposed was provided by the company as of 12/11/2014.

From the company: a statement [ https://www.chargeanywhere.com/notice/_defaultmerchant.aspx ],  [ https://www.chargeanywhere.com/notice/Payment_Incident_FAQ_Merchant_ISO.pdf ] FAQ for merchants, and a search function to see if a particular merchant was affected. An exact name match is required. This is more for merchants and less for consumers. No list was provided.

12/11/2014 EMColoradoR Services Mesa Energy Systems a retail business in California  

12/11/2014 CHARGE Anywhere a retail business in New Jersey  

12/11/2014 Corvallis Clinic a healthcare provider or servicer in Oregon  

12/11/2014 Tribeca Medical Center a healthcare provider or servicer in New York  

12/12/2014 St. Louis Parking Company a retail business in Missouri  

12/16/2014 Sands a retail business in Pennsylvania  

12/16/2014 Acosta Inc. a retail business in Florida  

12/16/2014 Point Loma Nazarene University an educational institution in California  

12/16/2014 Virginia Commonwealth University Health System a healthcare provider or servicer in Virginia  

12/22/2014 Mercy Medical Center Redding Oncology Clinic a healthcare provider or servicer in California  

12/23/2014 Harmonic Inc. a retail business in California  

12/23/2014 IDParts.com a retail business in Massachusetts  

12/23/2014 Custom Accessories, Inc. / BolderImage a retail business in Illinois  

12/23/2014 Office of Rob Kirby, CPennsylvania a retail business in California  

12/23/2014 Presidian Hotels & Resorts a retail business in California  

12/23/2014 Park ‘N Fly a retail business in Georgia  

12/23/2014 DutchWear (Boersma Bros., LLC) a retail business in Oregon  

12/23/2014 South Western High School an educational institution in Pennsylvania  

12/23/2014 Nvidia a retail business in California  

12/23/2014 Quest Diagnostics a healthcare provider or servicer in New Jersey  

12/30/2014 OneStopParking.com a retail business in Kentucky  

12/30/2014 theonepercent.org / Public Architecture a retail business in California  

12/30/2014 Lokai Holdings a retail business in New York  

12/31/2014 Stagecoach Transportation Services, Inc a retail business in Vermont  

12/31/2014 Chick-fil-A a retail business in Georgia  

12/31/2014 Physicians Skin & Weight Centers a healthcare provider or servicer in California  

12/31/2014 DJO Global / Empi a healthcare provider or servicer in California  

12/31/2014 Apple Leisure Group / AMResorts a retail business in Pennsylvania  

12/31/2014 Ascena Retail Group a retail business in New Jersey  

12/31/2014 Valplast Supply Company a retail business in New York  

 
 
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended as are The Identity Theft Resource Center (ITRC).

 
 

View the 2014 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.

Visit Us On FacebookVisit Us On Twitter