Dec 31 2014

US banks trace credit fraud to Chick-fil-A locales in possible data breach

Several US financial institutions have discovered a pattern of credit card fraud in accounts used at different Chick-fil-A locations across the US, according to KrebsOnSecurity.

Veteran security reporter Brian Krebs writes that Chick-fil-A received similar reports and is now working with authorities in an ongoing investigation to determine whether there was a data breach. The site first heard of the potential compromise in November, but a major credit association issued an alert late this month that confirmed the situation. "Just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014," Krebs noted.

If the fraud is due to a data breach, Information Week reports that Chick-fil-A will absolve affected customers of fraudulent charges and offer them free credit monitoring services. "If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts," the company said in a statement. "Any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring."

Read 2 remaining paragraphs | Comments

Dec 31 2014

Feds: Sony hackers’ next target will be an unnamed news organization

Guardians of Peace, the hacker group that targeted Sony Pictures over its film, The Interview, has apparently also threatened to hack an unnamed "news media organization," according to a bulletin from the FBI and the Department of Homeland Security (DHS).

The document, dated December 24, 2014, was first published by The Intercept on Wednesday. The FBI did not immediately respond to Ars’ request for comment.

Referring to Sony Pictures as USPER1 (US Person 1), the bulletin reads:

Read 3 remaining paragraphs | Comments

Dec 30 2014

The unusual suspects: ex-employees, Lizard Squad may have aided Sony hack

All sorts of theories about who really made off with terabytes of Sony Pictures Entertainment’s corporate data and then set off malware erasing the company’s hard drives have emerged over the past week in the wake of Sony’s release of The Interview. While the FBI is insistent that the responsibility for the Sony breach and cyber-defenstration rests solely on the Democratic People’s Republic of Korea, security analysts who have conducted their own examination of the malware and other information suggest that the attack was at least partially an inside job.

But there’s been another strange twist in the Sony Pictures saga: now Lizard Squad, the DDoS attackers involved in the Christmas denial-of-service attacks against Sony’s PlayStation Network and Microsoft’s Xbox Live network, have claimed they were tangentially involved in the breach. Someone claiming to represent Lizard Squad told the Washington Post’s Brian Fung that Lizard Squad had sold Sony Pictures usernames and passwords to the Sony attackers (the "Guardians of Peace"). Fung said that his contact confirmed his identity by posting something to the group’s Twitter feed.

"We handed over some Sony employee logins to them," said Fung's source. "For the initial hack. We came by them ourselves. It was a couple."

Read 9 remaining paragraphs | Comments

Dec 30 2014

NSA has VPNs in Vulcan death grip—no, really, that’s what they call it

The National Security Agency’s Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP’s VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

OTP’s VPN exploit team had members assigned to branches focused on specific regional teams, as well as a “Cross-Target Support Branch” and a custom development team for building specialized VPN exploits. At the regional level, the VPN team representatives acted as liaisons to analysts, providing information on new VPN attacks and gathering requirements for specific targets to be used in developing new ones.

While some VPN technologies—specifically, those based on the Point-to-Point Protocol (PPTP)—have previously been identified as being vulnerable because of the way they exchange keys at the beginning of a VPN session, others have generally been assumed to be safer from scrutiny. But in 2010, the NSA had already developed tools to attack the most commonly used VPN encryption schemes: Secure Shell (SSH), Internet Protocol Security (IPSec), and Secure Socket Layer (SSL) encryption.

Read 6 remaining paragraphs | Comments