Home Depot confirms breach but stays mum as to size

On Monday, Home Depot confirmed that thieves compromised the payment systems in its stores in the US and Canada and stole credit and debit card data.

The theft likely began in April and used unspecified malware, but it may not have compromised the PINs used to secure debit cards, the company said in a statement. The home supply retailer has not yet determined how many cards were breached, but the thieves had as many as six months in the company's systems. Comparatively, the malware-enabled theft of card data from retail giant Target resulted in the compromise of 40 million credit and debit card accounts and occurred in just over three weeks, albeit during the peak shopping season.

Home Depot's Chairman and CEO Frank Blake apologized to customers on Monday.

Read 5 remaining paragraphs | Comments

BackOff Malware Uses Encryption to Hide Its Intentions

Often we see malware authors using encryption or obfuscation along with other techniques to modify the static contents of malware. They do this to evade static-based clustering and detection even though the behavior is the same. In many cases obfuscation also helps hide the threat’s malicious intentions from security researchers.

BackOff, a point-of-sale malware designed to steal banking login credentials, is one of the latest to use this method. BackOff creates a fake Oracle Java folder and then drops javaw.exe in the appdata folder, in which the malware binary is copied. This name mimics the legitimate Java file from Oracle. Because the malware is copied into appdata, the original version of the malware gets deleted. A log file (log.txt) is created to store all keystrokes. For example, if the victim types “testing 1 2 3 This is a test,” the log file will store it in the following fashion:

p2

The malware not only stores time and date, but also includes case while logging the keystrokes of the victim. This makes sense because banking and other important credentials are generally case sensitive.

In an earlier variant there was no visible attempt to hide these behaviors. As we can see in the following strings related to the formation of the fake javaw.exe, the keylogging activity is visible in plaintext in the malware.

p4p3

Some binaries of this malware were so user friendly that they had proper comments to make sure that even a script kiddie could make proper use of it. For example,  the following binary has the comment “edit with your URL” so that the keylogs can be uploaded to the controller’s site.

p5

However, such open behavior is not the case in the most recent binaries. The new samples, despite behaving the same way, do not have any obvious static content. The following segment of the variant shows no understandable strings.

P6

We found that the malware uses an extensive encryption algorithm to hide the data revealed in the older variant. The following shows a section of the decryption loop.

p11

This code, expressed as a simple statement, reads:

 a[counter] = ( (a[counter+1]-v) and k) or  (( shiftleft (a[counter]-v, 4) xor key[i]) ) 

Where a[counter] is the encrypted array, key[i] is an array consisting of a hardcoded key that will be repeated once it is fully exhausted, and v is another fixed numeral that will change alternately for each cycle of the loop. In this case, for example, with odd iterations it is 0x6c, and for even it is 0×41. And k is a fixed constant.

After decryption we can observe that the control server is visible.

p12

This site is blacklisted by McAfee SiteAdvisor.

pq1

McAfee provides generic coverage for both plain and encrypted variants of BackOff, respectively, as “BackOff!” and “EncBackOff!”

The post BackOff Malware Uses Encryption to Hide Its Intentions appeared first on McAfee.

Is it Time to Upgrade to Zen Cart 1.5.3?

It has now been a couple of months since Zen Cart 1.5.3 was released and we have now handled enough upgrades to the new version to provide our insights on the question that has been coming up when discussing upgrading Zen Cart with clients, is it time to upgrade Zen Cart 1.5.3?

Let’s start with what is new in Zen Cart 1.5.3. One of the big changes is that version 1.5.3 supports PHP 5.4, 5.5, and 5.6. The new version includes some security enhancements, including better password hashing. It also includes numerous bug fixes and some performance enhancements. You can find the full list of changes in the release announcement.

We have run into couple of issues when doing upgrades to 1.5.3. The first is that many addon modules do not officially support Zen Cart 1.5.3 yet. For some modules they may not need any changes and their maintainer just hasn’t bumped the Zen Cart version supported. Others that modify core Zen Cart files will need to have updated versions of those files included, until they do that you can use those with 1.5.3 if you apply the changes they make to those files to the versions of the file include with 1.5.3. Others need to be modified to work with Zen Cart 1.5.3. The second issue we have found is that some changes in Zen Cart 1.5.3 will require making changes with your current setup, for example changing the time zone now needs to be done differently and custom templates may need to be changed to support more secure redirect links.

With the basics set out, below we provide on advice on whether it is time to upgrade depending on your current situation:

Running Zen 1.3.9, 1.3.8, or older

If you are still running Zen Cart 1.3.9, 1.3.8, or and even older version you are overdue for an upgrade at this point so you should probably go ahead with the upgrade now. While issues with modules and 1.5.3 could cause some issues, you are going to probably run into module issues that will have to be dealt during testing when upgrading from those versions to any version of Zen Cart 1.5.

Need to Be Using a PA-DSS Certified Version of Zen Cart

Zen Cart 1.5.0 continues to be the only version to be PA-DSS certified, so for those that need that for PCI compliance purposes should remain on 1.5.0 for now. In the release announcement for 1.5.3 it says that a new PA-DSS certified version should “hopefully” be released in “only a couple months”.

Web Hosting Account Switching to PHP 5.4, 5.5, or 5.6

The number one reason we are hired do Zen Cart upgrades is that version currently being used is not compatible the version of PHP that the web server the website hosted on is being upgraded to. With the recent end of support for PHP 5.3 web hosts should be moving to at least PHP 5.4 soon (though many web host are only now transitioning off of PHP 5.2 despite support ending in January of 2011). Zen Cart 1.5.3 is the first release to support PHP 5.4, 5.5, and 5.6 so anyone moving to those versions of PHP should upgrade.

Running 1.5.0 or 1.5.1

If you don’t need to upgrade for the new versions of PHP, don’t have an urgent need for an of the bug fixes or improvements, and use a lot of modules you may to want hold off until more modules are updated for Zen Cart 1.5.3. Otherwise, it would be a good idea to do upgrade now.

Twitter Bug Bounty Official – Started Paying For Bugs

So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum. This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s [...] The post Twitter Bug...

Read the full post at darknet.org.uk