Feb 28 2014

Report: Secret Service investigates possible network breach of Sears

The US Secret Service is investigating a possible attack on the corporate network of Sears Holdings Corp. after high-profile hacks of Target, Neiman Marcus, and possibly other retailers have compromised tens of millions of credit cards, Bloomberg News reported.

"There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach," a Sears spokesman said in a statement, according to a report published Friday. "We have found no information based on our review of our systems to date indicating a breach."

Neither the Bloomberg report nor the statement from Sears said when the investigation began or provided other details. KrebsOnSecurity reporter Brian Krebs, who originally broke news of the Target breach, cautioned that there's reason to believe there may be no breach at Sears.

Read 3 remaining paragraphs | Comments

Feb 28 2014

Breach Blind Spot Puts Retailers on Defensive

In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year.

Earlier this week, rumors began flying that Sears was breached by the same sort of attack that hit Target. In December, Target disclosed that malware installed on its store cash registers compromised credit and debit card data on 40 some million transactions. This publication reached out on Wednesday to Sears to check the validity of those rumors, and earlier today Bloomberg moved a brief story saying that the U.S. Secret Service was said to be investigating a possible data breach at Sears.

But in a short statement issued today, Sears said the company has found no information indicating a breach at the company.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears said in a written statement. ”We have found no information based on our review of our systems to date indicating a breach.”

The Secret Service declined to comment.

Media stories about undisclosed breaches in the retail sector have fueled rampant speculation about the identities of other victim companies. Earlier this week, The Wall Street Journal ran a piece quoting Verizon Enterprise Solutions’s Bryan Sartin saying that the company — which investigates data breaches — was responding to two different currently undisclosed breaches at major retailers.

Interestingly, Sartin gave an interview last week to this publication specifically to discuss a potential blind spot in the approach used by most banks to identify companies that may have had a payment card breach — a weakness that he said almost exclusively manifests itself directly after large breaches like the Target break-in.

The problem, Sartin said, stems from a basic anti-fraud process that the banks use called “common point of purchase” or CPP analysis. In a nutshell, banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe.

This CPP analysis can be a very effective tool for identifying breaches; according to Sartin, CPP — if done properly — can identify a breached entity nine times out of ten.

“When there is a common point of purchase, more than 9 times out of 10 not only do we later find evidence of a security breach, but we can conclusively tie the breach we found to the fraud pattern that’s been reported,” Sartin said.

However, in the shadow of massive card thefts like the one that occurred at Target, false positives abound, Sartin said. The problem of false positives often come from small institutions that may not have a broader perspective on how far a breach like Target can overlap with purchasing patterns at similar retailers.

And that can lead to a costly and frustrating situation for many retailers, particularly if enough banks report the errant finding to Visa, MasterCard and other card associations. At that point, the card brands typically secure guarantees that the identified merchant hire outside investigators to search for signs of a breach.

“CPP is linear enough that it just says look, there’s a problem in these shoppers’ accounts,” Sartin said. “So you have many banks looking at these patterns, and reporting that upstream, and the more noise these banks make about it, the more likely there will be an investigation that could be erroneous. That’s why there is often a period of probably 60 to 90 days after a major data breach that until such time as the investigating entity gets there and [identifies] the at-risk batch of accounts — there’s really no ability for them to identify what’s a false flag and what’s not.”

Feb 28 2014

How to turn a phone into a covert bugging device? Infect the printer

Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs.

Cui, who is scheduled to present his research Friday at the RSA security conference in San Francisco, said the attack underscores the growing susceptibility of phones, routers, and other embedded devices to the types of malware attacks that once threatened only computers. He and Salvatore Stolfo, who is a Columbia University professor of computer science and a Red Balloon director, have devised software dubbed Symbiote, which runs on Internet phones and other embedded devices and alerts users whenever changes are made to the firmware. Symbiote is part of a larger defense the pair has developed called AESOP, short for the Advanced Embedded Sec Ops.

Read 4 remaining paragraphs | Comments

Feb 28 2014

Sochi Olympics Terrorism Fears Used as Bait for Targeted Darkmoon Campaigns

While the Sochi Winter Olympics may now be over without incident, considering all of the media attention and fears surrounding a potential terrorist attack at the event, it should come as no surprise that cyberattackers were preying on these uncertainties to target potential victims of interest.

During the games, Symantec saw multiple targeted email campaigns that used Sochi Olympics themes to bait potential victims. These observed email campaigns were blocked by our Symantec.Cloud service. In one such campaign, we saw that targets were being sent the following email.


Figure 1. Email purporting to relate to a terrorist threat at the Sochi Olympics

In this campaign, attackers were using the social engineering ploy of a terrorist threat at the Sochi Olympics to lure in their victims. While the email does not look professional, the curiosity for the content can still be enough to persuade an individual to open the attachment. If a victim fell prey to opening the attachment, their computer became infected with Backdoor.Darkmoon. Darkmoon is a popular remote access Trojan (RAT) which is often used in targeted attacks, as seen in a recent Symantec blog about how the G20 Summit was used as bait in targeted emails and in the 2011 Symantec whitepaper, The Nitro Attacks.  

In another targeted campaign using the Sochi Olympics theme, we observed the following email that was being sent by an attacker to targets of interest.

Figure 2.
Email purporting to relate to military co-operation at the Sochi Olympics

Again, as seen in the email, the attackers used the social engineering ploy of military co-operation around the Sochi Olympics. This time, the payload was Trojan.Wipbot. This Trojan is associated with another similar targeted attack campaign, which included an attack that used a Windows zero-day elevation of privilege vulnerability.

These attacks highlight the ongoing need for vigilance when receiving any unsolicited emails. They also reinforce what is already known — targeted attackers are quick to make use of the latest news or events to enhance the chances of success for their social engineering ploy. The campaigns also highlight how targeted email attacks are showing no sign of dissipating anytime soon.

As always, we advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of any kind.