Home Depot estimates data on 56 million cards stolen by cybercriminals

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

"To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements," Home Depot said in its statement. "The hacker's method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all US stores."

Read 6 remaining paragraphs | Comments

In-depth: How CloudFlare promises SSL security—without the key

CloudFlare has developed a way to separate SSL from private crypto keys, making it easier for companies to use the cloud to protect their networks.

Content delivery network and Web security company CloudFlare has made a name for itself by fending off denial-of-service attacks against its customers large and small. Today, it's launching a new service aimed at winning over the most paranoid of corporate customers. The service is a first step toward doing for network security what Amazon Web Services and other public cloud services have done for application services—replacing on-premises hardware with virtualized services spread across the Internet.

Called Keyless SSL, the new service allows organizations to use CloudFlare’s network of 28 data centers around the world to defend against distributed denial of service attacks on their websites without having to turn over private encryption keys. Keyless SSL breaks the encryption “handshake” at the beginning of a Transport Layer Security (TLS) Web session, passing part of the data back to the organization’s data center for encryption. It then negotiates the session with the returned data and acts as a gateway for authenticated sessions—while still being able to screen out malicious traffic such as denial of service attacks.

In an interview with Ars, CloudFlare CEO Matthew Prince said that the technology behind Keyless SSL could help security-minded organizations embrace other cloud services while keeping a tighter rein on them. “If you decide you’re going to use cloud services today, how you set policy across all of these is impossible," he said. "Now that we can do this, fast forward a year, and we can do things like data loss prevention, intrusion detection… all these things are just bytes in the stream, and we’re already looking at them.”

Read 13 remaining paragraphs | Comments

Apple Releases Security Updates for iOS, Apple TV, and Xcode

Original release date: September 18, 2014

Apple released security updates for iOS devices, Apple TV, and Xcode to address multiple vulnerabilities, some of which could allow attackers to execute code with system privileges or cause an unexpected application termination.

Updates available include:

  • iOS 8 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
  • Apple TV 7 for Apple TV 3rd generation and later
  • Xcode 6.0.1 for OS X Mavericks v10.9.4 and later

Users and administrators are encouraged to review Apple security updates HT6441, HT6442, and HT6444 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Twitter Vulnerability Allows Deletion Of Payment Details

Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story. This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug [...] The post Twitter...

Read the full post at darknet.org.uk