If nothing else, the breach at Target brought this point home – point-of-sale [POS] systems are firmly on the radar of attackers.

So much so that US-CERT just recently warned retailers to do a better job of protecting their systems.

“In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming,” the organization noted. “In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.”

“As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services,” the advisory continued. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.”

In the case of Target, malware was discovered on the company’s POS systems Dec. 15. At that point, Target disabled the malicious code and began the process of notifying card processors and payment card networks. As many as 40 million debit and credit card accounts may have been impacted. But that was just the most recent example of an attack. For example, in 2012, hackers hit the point-of-sale systems at Barnes & Noble and compromised credit card readers at 63 stores.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” said Mark Bower of Voltage Security.

These systems are in constant use around heavy shopping periods like Black Friday, when they are often less frequently patched and updated, he added. To take the profit out of the attacks, savvy retailers are utilizing point-to-point encryption to protect data before it even gets to the POS system, he said.

“If the POS is breached, the data will be useless to the attacker,” he said. “Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.”

Organization need to take stock of what devices they have running and what gaps they need to close, said Chris Strand, compliance consultant at Bit9.

“Taking a better approach to automating the vulnerability analysis to get better visibility of the threat landscape and find a solution that allows organizations to see where high priority and critical areas are on those systems,” Strand said.  

US-CERT also recommends organizations restrict POS access to the Internet, disable remote access and update POS software applications.

Then there is the prospect of more secure EMV cards, which security experts say may have made the attack on Target a non-starter for those behind it.

“EMV is a big part of the answer and would likely have prevented the Target breach,” noted Chester Wisniewski, senior security advisor at Sophos. “Merchants have been resistant as it requires newer payment terminals, but Target is one of the few who were already EMV-ready. It is currently scheduled to roll out (for most transactions) in the US in the autumn of 2015. It took us about 18 months to fully embrace it here in Canada; let’s hope the US can one-up us.” 

Related Reading: PCI DSS 3.0 – The Impact on Your Security Operations

Tags:

• NEWS & INDUSTRY
• Cybercrime

WASHINGTON – The US government said Friday it is appealing a judge’s ruling that the National Security Agency’s bulk collection of phone records is unconstitutional and “almost Orwellian.”

The Justice Department filed a notice of appeal with the court following last month’s ruling by Judge Richard Leon.

Arguments and briefs in the case will be filed at a later date.

The scathing December 16 ruling by the federal judge in Washington was stayed pending appeal, but if upheld it could lead to the spy agency being barred from indiscriminately monitoring millions of private calls.

“I cannot imagine a more indiscriminate and arbitrary invasion than this systematic and high-tech collection and retention of personal data on virtually every single citizen,” Leon said in his opinion.

It is among several court cases pending which challenge the vast surveillance programs spearheaded by NSA and disclosed in documents leaked by fugitive former NSA contractor Edward Snowden.

On December 27, Federal Judge William Pauley in New York dismissed a petition from the American Civil Liberties Union and said the NSA program on phone data was a vital tool to help prevent an Al-Qaeda terror attack on American soil. The ACLU said it would appeal that decision.

The apparently contradictory rulings make it likely the US Supreme Court will decide on the constitutionality of the NSA programs.

Separately Friday, a civil rights group asked the US Supreme Court to review a case challenging the authority of NSA surveillance.

The Center for Constitutional Rights petitioned the Supreme Court said the Snowden revelations provide new information which should lead the justices to revisit the matter.

“We have always been confident that our communications — including privileged attorney-client phone calls — were being unlawfully monitored by the NSA, but Edward Snowden’s revelations of a massive, indiscriminate NSA spying program changes the picture,” said CCR attorney Shayana Kadidal.

“Federal courts have dismissed surveillance cases, including ours, based on criteria established before Snowden’s documents proved that such concerns are obviously well-founded.”

In a related matter, more than 250 academics from around the world signed an online petition this week calling for an end to “blanket mass surveillance” by intelligence agencies.

The petition said revelations of mass surveillance in documents leaked Snowden violate “a fundamental right” protected by international treaties, including the International Covenant on Civil and Political Rights and the European Convention on Human Rights.

“This has to stop,” said the petition (academicsagainstsurveillance.net), an initiative of four academics from the University of Amsterdam.

“Without privacy people cannot freely express their opinions or seek and receive information. Moreover, mass surveillance turns the presumption of innocence into a presumption of guilt… secret and unfettered surveillance practices violate fundamental rights and the rule of law, and undermine democracy.

“The signatories of this declaration call upon nation states to take action. Intelligence agencies must be subjected to transparency and accountability. People must be free from blanket mass surveillance conducted by intelligence agencies from their own or foreign countries.”

The signatories include academics in the Netherlands, Britain, Germany and the United States.

Among them are Oxford University’s Joss Wright, Alessandro Acquisti of Carnegie Mellon University, Aleecia McDonald of the Center for Internet & Society at Stanford University and Bruce Schneier of the Berkman Institute for Internet and Society at Harvard Law School.

Other signatories included academics from Australia, Hong Kong and New Zealand.

On Thursday, a report indicated that the NSA is making strides toward building a “quantum computer” that could break nearly any kind of encryption.

The Washington Post said leaked documents from Snowden indicate the computer would allow the secret intelligence agency to break encryption used to protect banking, medical, business and government records around the world.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

SAN FRANCISCO – The sudden death of prominent hacker Barnaby Jack was due to an accidental overdose of heroin, cocaine and other drugs, a coroner’s report said Friday.

The New Zealand-born Jack, 36, a software wizard famous for remotely hacking ATMs and medical devices, was found dead in his bed by his girlfriend in July.

An autopsy found “no visible or palpable evidence of trauma” on the body. There was “blood inside the nostrils” and “sparse white foam inside the mouth,” the report from the San Francisco Medical Examiner’s office said.

A toxicology screen found evidence of “acute mixed drug … intoxication” from heroin, cocaine, the antihistamine diphenhydramine and Xanax, which combined to cause Jack’s death, the medical examiner said.

The New Zealand native and San Francisco resident worked as a software security researcher at IOActive Labs.

An admired member of the hacker community, Jack said in an IOActive blog post months before his death he had been spending the majority of his time researching vulnerabilities in new model wireless pacemakers and Implantable Cardioverter Defibrillators (ICDs).

Three years earlier, Jack demonstrated his “ATM jackpotting” discovery for an overflow crowd of hackers during a presentation at the infamous DefCon hacker gathering held on the heels of Black Hat annually in Las Vegas.

Jack found a way to access ATMs remotely using the Internet. Once in the machines, he could command them to spit out cash or transfer funds.

He didn’t reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

He was admired by his fellow hackers, who took to Twitter last year after his sudden death to pay tribute.

“Lost but never forgotten our beloved pirate, Barnaby Jack has passed,” IOActive said in a message at the company’s Twitter account. “He was a master hacker and dear friend. Here’s to you Barnes!”

Related Reading: Barnaby Jack (1977-2013): Farewell to a Daring Wunderkind

Related Video: Barnaby Jack Demonstrates ATM Hacking at Black Hat

Related Reading: Barnaby Jack Leaves McAfee to Return To IOActive

Tags:

• NEWS & INDUSTRY
• Black Hat

Apple has added its name to the list of companies denying they have ever cooperated with the National Security Agency to create backdoors in any of its products.

The statement followed news of a NSA document leaked by German news magazine Der Spiegel that included a description of a program targeting Apple iPhones called DROPOUTJEEP. The document, which is dated 2008, mentions the program as being under development with the goal of making it possible “to remotely download or upload files to a mobile phone.”

“It would also, according to the catalog, allow the NSA to divert text messages, browse the user’s address book, intercept voicemails, activate the phone’s microphone and camera at will, determine the current cell site and the user’s current location,” Der Spiegel reported.

The initial release was said to be focused on installing the program through physical access, though developers would be working to include a remote access capability in the future.

Security researcher Jacob Applebaum – who co-authored an article in Der Spiegel on the issue – stated at the Chaos Communication Congress Dec. 30 that the NSA’s boast about having a 100 percent success rate in compromising devices suggests that Apple may have cooperated with the agency.

In response, Apple issued a statement to media outlets that it has never worked with the NSA to develop a backdoor for any of its products, and is unaware of NSA programs to do so.

“Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements,” according to the statement. “Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers.  We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”

The same NSA document also made mention to tools for compromising products from vendors such as Cisco Systems, Juniper Networks and Dell. Those companies have denied any knowledge or involvement in NSA activities as well.

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

BERLIN – The US National Security Agency has collected sensitive data on key telecommunications cables between Europe, north Africa and Asia, German news magazine Der Spiegel reported Sunday citing classified documents.

Spiegel quoted NSA papers dating from February and labelled “top secret” and “not for foreigners” describing the agency’s success in spying on the so-called Sea-Me-We 4 undersea cable system.

The massive bundle of fibre optic cables originates near the southern French city of Marseille and links Europe with north Africa and the Gulf states, continuing through Pakistan and India to Malaysia and Thailand.

“Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle,” Spiegel said.

It said NSA specialists had hacked an internal website belonging to the operator consortium to mine documents about technical infrastructure including circuit mapping and network management information.

“More operations are planned in the future to collect more information about this and other cable systems,” Spiegel quoted the NSA documents as saying.

Der Spiegel has over the last several months reported on mass NSA spying on targets in the United States and abroad using documents provided by fugitive intelligence contractor Edward Snowden.

A White House-picked panel this month recommended curbing the secretive powers of the NSA, warning that its spying sweeps in the “war on terror” had gone too far.

US President Barack Obama plans to address the report in January.

Tags:

• NEWS & INDUSTRY
• Security Infrastructure

Researchers have reportedly found a vulnerability in a security system embedded in Samsung’s Galaxy S4 smartphone that could allow an attacker to steal data.

Security researchers at Ben-Gurion University of the Negev in Israel uncovered vulnerabilities in Samsung’s KNOX security solution. The findings were first reported by the Wall Street Journal, which noted that KNOX is currently being reviewed by the U.S. Department of Defense and other government agencies for potential use. Aimed at Google Android devices, KNOX includes the ability to enforce the separation of information through containerization as well as a secure boot and kernel monitoring capabilities.

According to researchers at BGU’s Cyber Security Labs, the issue makes interception of data communications between the secure container and the external world – including file transfers and emails – relatively easy.

“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ‘hole’ exists and was left untouched,” Ph.D. student Mordechai Guri said in a statement. “The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands. We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”  

Guri, who is part of a team of BGU researchers that focus on mobile security and other cyber-issues, uncovered the vulnerability while performing an unrelated research task. According to BGU, KNOX’s secure container is supposed to ensure that all data and communications that take place within the secure container are protected. Even a malicious application should attack an area outside the secure container all the protected data should be inaccessible under all circumstances.

However, researchers found that that is not the case.

“To solve this weakness, Samsung may need to recall their devices or at least publish an over the air software fix immediately,” said Dudu Mimran, chief technology officer of the BGU labs, in the statement. “The weakness found may require Samsung to re-think a few aspects of their secure architecture in future models.”

Samsung did not respond to a request for comment from SecurityWeek. However, the company told the Wall Street Journal that it was investigating the matter, and that preliminary investigation has found that the researchers’ work seems to be based on a device that was not equipped with features that a corporate client would use alongside Knox.

“Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware,” the Samsung spokesperson told the Wall Street Journal.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

During the past several months, leaks about the NSA’s electronic surveillance operations have pooled into a river that has spilled into calls for reform.

The most recent drop in that river is a report from Reuters that the NSA paid RSA $ 10 million to ensure a vulnerable encryption algorithm was used by default in RSA’s BSAFE toolkit. RSA, now a division of EMC, denied ever entering into a contract or being involved in any project with the intention of weakening its products. Still, the report, which was based on sources familiar with the contract, has sparked additional questions about collusion between the tech industry and intelligence agencies.

“The bad part is – if the story is true – the very, very large downside is that it’s compromising a security product,” said John Pescatore, director of emerging security trends at SANS Institute. “It’s one thing if somebody buys a switch or a typewriter or whatever you are not expecting it to sort of protect you…crypto, you are. You’re buying security products with the assumption that the company selling them to you is selling the most secure products. So if NSA has been successful at getting companies like RSA or Microsoft or any of them to compromise the security of their products,  that’s sort of taking it to a different level than we have seen in the past.”

In September, leaks by former NSA contractor Edward Snowden led to media reports that the NSA had engaged in an to insert vulnerabilities into commerical encryption systems so that it could more easily decrypt communications. Last week, Reuters reported the agency created a backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) that could be exploited and then pushed for RSA to adopt it. Problems with the algorithm have been known for several years, though RSA continued to use it in BSAFE until NIST [National Institute of Standards and Technology] withdrew its support for the standard in September in the wake of growing concerns.  

Last week, the Obama administration’s Review Group on Intelligence and Communications Technologies released a report in which recommended the NSA abandon efforts to undermine cryptographic standards.

“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage,” according to the report.

“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries,” RSA said in a statement. “We categorically deny this allegation. We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”

RSA also said it made the decision to use Dual EC DRBG back in 2004, two years before the Reuters’ report alleged NSA approached them with a deal. 

“We no longer know whom to trust,” blogged noted cryptographer Bruce Schneier today. “This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix.”

Pescatore, who has worked for the NSA and U.S. Secret Service in the past, said it is a mistake for the NSA to be charged with both the offensive and defensive aspects of the cyber-war, and that the conflicting priorities of those roles can create a mindset where injecting security flaws into encryption standards make sense. Currently, both the NSA and the US Cyber Command are under the direction of NSA Director Gen. Keith Alexander. 

The idea of strong encryption getting into the wrong hands however should not be enough of a reason for the intelligence community to undermine encryption, Pescatore said. After all, if the NSA can find the backdoor, others can as well, he argued. 

“I do not think that there needs to be sort of reduced strength [in] security products in case the bad guys get a hold of them any more than I think people’s houses should use easy to pick locks just in case the police need to get in,” he said. 

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

WASHINGTON – AT&T said Friday it would join rivals in the tech and telecom sector in publishing a “transparency report” about demands for information from law enforcement agencies.

The announcement came a day after a similar announcement from sector rival Verizon, which follow releases from big technology firms including Google, Apple and Microsoft, and intense scrutiny of these firms in light of revelations of wide-ranging US government surveillance programs.

AT&T said in a statement it would release a semiannual report starting in early 2014 with information “to the extent permitted by laws and regulations.”

The report will include the total number of law enforcement agency requests in criminal cases, subpoenas, court orders and warrants.

AT&T said it believes that “any disclosures regarding classified information should come from the government, which is in the best position to determine what can be lawfully disclosed and would or would not harm national security.”

The telecom giant said that “protecting our customers’ information and privacy is paramount,” and that it complies with legal requests in the countries where it operates.

“We work hard to make sure that the requests or orders are valid and that our response to them is lawful,” the AT&T statement said.

“We’ve challenged court orders, subpoenas and other requests from local, state and federal governmental entities — and will continue to do so, if we believe they are unlawful. We do not allow any government agency to connect directly to our network to gather, review or retrieve our customers’ information.”

The announcements from AT&T and Verizon come after a period when the telecom firms were notably absent from a debate on disclosures about the scope of US surveillance programs from fugitive former intelligence contractor Edward Snowden.

But the telecom and tech firms are still barred from releasing data on national security requests from the FBI and US intelligence services.

A push by the tech sector to get authorization to release the sensitive data requests got a boost this week from an independent review board appointed by President Barack Obama, which recommended that this data be published.

Tech firms have said the sales overseas are being hurt by a perception that the US government can easily gain access to their networks.

Tags:

• Tracking & Law Enforcement

WASHINGTON – The White House will release a review Wednesday calling for reforms in National Security Agency spying sweeps, exposed by Edward Snowden, which have angered US allies and raised legal and privacy concerns.

President Barack Obama’s spokesman Jay Carney said the report by a review panel was being released earlier than a planned date in January due to incomplete and inaccurate media reporting about its contents.

Obama met members of the review panel earlier on Wednesday to work through the 46 recommendations in the report.

“While we had intended to release the review group’s full report in January … given the inaccurate and incomplete reports in the press about the report’s content, we felt it was important to allow people to see the full report to draw their own conclusions,” Carney said.

“For that reason, we will be doing that this afternoon — releasing the full report.”

Obama commissioned the review panel report earlier this year in the wake of explosive revelations by fugitive intelligence contractor Snowden on the stunning scope of the NSA’s operations.

He has said he wants to strike a balance between keeping Americans safe from terrorist threats and safeguarding privacy rights guaranteed by the US Constitution.

The review board comprises former White House counter-terrorism advisor Richard Clarke; Michael Morell, the ex-deputy director of the CIA; Peter Swire, an official specializing in privacy and technology issues; constitutional law professor Geoffrey Stone; and Cass Sunstein, a former regulatory official in the Obama administration.

The president has said he would try to get the shady spy agency to restrain its Internet and phone data collection operations but is expected to allow them to continue in some form.

Obama is due to consider which of the recommendations he will accept and will then make a speech to the American people in January.

The release of the report comes with intense pressure building on the administration over the programs, from political opponents, the Internet industry and even the courts.

A federal judge in Washington this week ruled that NSA programs, which have scooped up millions of details on telephone calls and Internet traffic on Americans and foreigners, were probably unconstitutional.

The ruling opened a long legal battle which is likely to end up in the Supreme Court.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

LONDON – The European Union’s banking watchdog on Friday issued a warning over virtual currency trading amid huge swings in the value of Bitcoin, a lack of regulation and money laundering risks.

“The European Banking Authority (EBA) is issuing this warning to highlight the possible risks you may face when buying, holding or trading virtual currencies such as Bitcoin,” a statement said.

The EBA added: “We recommend that, if you buy virtual currencies, you should be fully aware and understand their specific characteristics.

Bitcoin has become a global phenomenon, with the price rising so much that a Norwegian man was able to buy an apartment with some of the 5,000 Bitcoins he bought for just $ 24 in 2009.

The explosive growth has raised alarm bells, with analysts warning of a potential crash due to a lack of fundamental underpinning.

The EBA urged users to “exercise the same caution with your digital wallet as you would do with your conventional wallet or purse.”

Related: European Bitcoin Payment Processor Hacked, $ 1M Stolen

The watchdog said people should not keep large amounts of money in their digital wallet for an extended period.

The warning comes as Chinese speculators have seen Bitcoin values plunge, soar and plunge again within days.

China is the world’s biggest market for trading Bitcoins, but around $ 5.0 billion was wiped off the value of the currency’s global stock within an hour of an announcement from Beijing’s central bank in early December, banning financial institutions from dealing in it.

Bitcoin was invented in the wake of the global financial crisis by a computer scientist using the pseudonym Satoshi Nakamoto.

It is based on cryptography and only 21 million units can ever be created, which can be stored either virtually or on a user’s hard drive.

It offers a largely anonymous payment system with no centralized structure and transactions are publicly logged in what is known as the “block chain”.

Related Reading: European Bitcoin Payment Processor Hacked, $ 1M Stolen

Related Reading: Australian Claims Huge Bitcoin Robbery

Tags:

• NEWS & INDUSTRY
• Fraud & Identity Theft
• Cybercrime