Category: breach

Aug 08 2016

Oracle-owned point-of-sale service suffers from malware attack

MICROS, an Oracle-owned division that's one of the world's top three point-of-sale services, has suffered a security breach. The attack possibly comes at the hands of a Russian crime gang that siphoned out more than $1 billion from banks and retailers in past hacks, security news site KrebsOnSecurity reported Monday.

Oracle representatives have told reporter Brian Krebs that company engineers "detected and addressed malicious code in certain legacy MICROS systems" and that the service has asked all customers to reset their passwords for the MICROS online support site. Anonymous people have told Krebs that Oracle engineers initially thought the breach was limited to a small number of computers in the company's retail division. The engineers later realized the infection affected more than 700 systems.

Krebs went on to report that two security experts briefed on the breach investigation said the MICROS support portal was seen communicating with a server that's known to be used by the Carbanak Gang. Over the past few years, Carbanak members are suspected of funneling more than $1 billion out of banks, retailers, and hospitality firms the group hacked into.

Read 4 remaining paragraphs | Comments

Aug 03 2016

New attack steals SSNs, e-mail addresses, and more from HTTPS pages

Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. (credit: Vanhoef, Van Goethem)

The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas.

Read 12 remaining paragraphs | Comments

Feb 10 2016

IRS website attack nets e-filing credentials for 101,000 taxpayers

The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday.

Identity thieves made the haul by using taxpayers' personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them.

No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

Read 3 remaining paragraphs | Comments

Sep 23 2015

OPM breach included five times more stolen fingerprints

5.2 million scans of this form, complete with fingerprints, are now in the hands of foreign intelligence. But don't worry, because the feds say there's very few ways the data can be "misused." (credit: FBI)

The Office of Personnel Management's press secretary Sam Schumach announced this morning that the breach of OPM background investigation data included approximately 5.6 million sets of fingerprints from federal employees, contractors, and other subjects of federal background checks. The new number, tied to the discovery of additional archived data that was stolen over the period of the breach, more than quintuples the amount of individuals whose fingerprint data were stolen. OPM's previous estimate stood at 1.1 million. However, the new findings do not increase the overall number of people affected in the background investigation data breach from 21.5 million, Schumach said in an official statement.

Those fingerprints were collected as part of the OPM's background investigations at all levels of sensitivity—ranging from the "National Agency Check with Written Inquiries" (NACI) inquiries for federal employees with "moderate, low risk and non-sensitive positions" to the full field investigations required for more sensitive positions. Based on leaked statements from the Obama administration, the fingerprint data is now, at a minimum, in the hands of the foreign intelligence services of China. Just how that fingerprint data could be used, however, is not clear.

"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited," Schumach said. "However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area—including the FBI, DHS, DOD, and other members of the Intelligence Community—will review the potential ways adversaries could misuse fingerprint data now and in the future...[and] also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."

Read on Ars Technica | Comments