Mozilla is offering a $10,000 bug bounty for serious security vulnerabilities in a new cryptography library it plans to release along with Firefox 31.
Archive for April, 2014
UK, US and Australia urge web users to avoid Internet Explorer, Windows XP users most at risk
NEW YORK — Still pushing to right itself after an enormous data breach last year, Target announced Tuesday that a new chief information officer will oversee the company’s technology team and data security.
The new executive, Bob DeRodes, has held senior technology positions at a variety of companies including Home Depot and Delta Air Lines, and has served as a consultant to several federal agencies, including the departments of Homeland Security, Justice, and Defense, Target said.
Continue reading below
The previous head of technology at the retailer, Beth M. Jacob, resigned in March facing questions about whether she had the appropriate training to oversee protection of the company’s computer networks that housed huge amounts of private consumer data.
In addition to appointing Jacob’s replacement, Target announced an accelerated timetable — by early next year — for shifting all of its Redcard debit and credit cards to chip-and-PIN technology, which is widely used in Europe and is considered more secure than cards that rely on magnetic strips. Company executives have been promoting the system industrywide since the breach. Target said it will spend $100 million switching to the new system.
The company also outlined some of the security measures it has been adapting. It has deployed advanced technology like white-listing, which allows only web traffic that the company knows is innocuous to enter its systems. The company is adding more sophisticated security around its network, including for its payment systems and customer data, which security specialists say the company should have done long ago.
“I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology,” Gregg Steinhafel, Target’s chief executive, said in a statement.
On Dec. 19, just days before Christmas and in the crush of the holiday shopping season, Target acknowledged that credit and debit card information for 40 million customers had been exposed. A few weeks later, the company said a second batch of information, the personal information of some 70 million people, had been compromised as well. The company has since said it believes there is overlap of at least 12 million people between the two groups. Company executives have said that news of the breach significantly hurt traffic and sales, and the company’s earnings underscored that fact. Target’s fourth-quarter profits were down 46 percent compared with the same period the year before.
During that quarter, the company said, it spent $61 million on breach-related expenses, and executives said they expected the costs to continue.
Several other companies, including retailers and a hotel company, have also been hacked in recent months.
Data breaches at Neiman Marcus and the arts and crafts retailer Michaels have been committed by the same band of criminals in Eastern Europe that infiltrated Target, according to people involved in the investigation, who were not authorized to speak publicly.
BOSTON (AP) – Boston Medical Center has fired a transcription service after a health care provider reported the records of about 15,000 patients were posted without password protection on the vendor’s website used by physicians.
The records contained names, addresses, and medical information, including what drugs they were taking, but did not include Social Security numbers or financial information.
Jenni Watson, the hospital’s chief of staff, tells The Boston Globe that letters have been sent to patients notifying them of the data breach on the website operated by MDF Transcription Services and its subcontractors. She said the hospital had no reason to believe the information was viewed by outsiders or misused.
A representative of MDF did not return a phone call seeking comment.
The breach was discovered on March 4.
Information from: The Boston Globe
It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren’t so far-fetched.
Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cites around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment.
“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” he wrote in a blog post on the research he conducted.
“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.”
Cerrudo is not identifying the vendor involved in the research, or the specific vulnerabilities he discovered, until next month when he presents the results at the Infiltrate security conference. But he has reported the flaws to the vendor, through the ICS-CERT, and the vendor said it does not consider the issues to be security vulnerabilities, but rather expected behavior from the products.
Traffic lights and electronic signs on highways and streets are controlled by automated systems in many cities, and Cerrudo discovered that the vendor he was investigating has deployments of vulnerable systems in a number of countries, including the United States, China, the U.K., Australia and Canada. After doing some initial research, Cerrudo traveled to several U.S. cities, including New York and Washington, D.C., to confirm that the attacks he’d developed would work in the real world. He found that it was no problem to cause issues with traffic control systems by using the vulnerabilities he’d identified.
“It’s possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green (I bet many of you have experienced something like this as a result of driving during non-traffic hours late at night or being on a bike or in a small car), or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed,” he said.
While the vulnerable devices are made by one vendor, Cerrudo said that there are a number of resellers who rebrand them and sell to customers directly. He said via email that getting the devices to test was not difficult. The response he got from the vendor, he said, was disheartening.
“I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn’t convince them. In the end I said, if the vendor doesn’t think they are vulnerable then OK, I’m done with this; I have tried hard, and I don’t want to continue wasting time and effort. Also, since DHS is aware of this (through ICS-CERT), and it seems that this is not critical nor important to them, then there isn’t anything else I can do except to go public,” he said.
“This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously.”
Image from Flickr photos of William Warby.
Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach.
The Internet Explorer zero day disclosed over the weekend may not be the precursor to the Windows XP malware apocalypse everyone has been dreading, but it has prompted US-CERT to advise against using the Microsoft browser until it is patched. And it has kicked off further research into the vulnerability to see what else is under the covers.
Researchers at Websense reported yesterday that a number of IE crash reports coinciding with the appearance of the exploit in the wild point to two more possible vulnerabilities in the vector graphics dll, VGX IE 8 and 9 that could be exploited by CVE-2014-1776.
The researchers use application crash reports from computers running Windows XP, Vista, 7 and 8 sent through the Windows Error Reporting framework to investigate the possibility of advanced attacks against organizations. Exploits often cause applications to crash and these reports, also known as Dr. Watson reports, are sent in the clear to Microsoft so that bugs can be prioritized and addressed, as well as user experience issues. The reports are triggered not only by crashes, but also when applications fail to update or when hardware changes are detected on a network.
The IE zero day set off alarm bells since it can be exploited all the way back to versions of IE compatible with Windows XP, which is no longer supported by Microsoft as of April 8. Microsoft issued an advisory and warned users that hackers were actively exploiting the use-after-free vulnerability in limited targeted attacks, although only in IE 9 through IE 11.
Researchers at FireEye also shared details on the exploit and said that it is used in conjunction with a Adobe Flash exploit to cause memory corruption and allow an attacker to run code remotely on the compromised computer. The vulnerability in IE is specific to the browser’s handling of the Vector Markup Language and vector graphics rendering. Microsoft advised as a temporary mitigation that admins disable the VGX.DLL; the library is crucial for proper graphics rendering and is used by IE as well as Office applications.
Websense researchers said today they were prompted by news of the active exploits and started searching crash reports for evidence of exploit activity in the VGX library. Starting in February, spikes in crashes in IE 8 and IE 9 began, in particular from targets in the U.S., U.K., and Brazil, including telecoms, financial services organizations and municipal governments, Websense said.
The researchers said they combed through six months of crash reports, close to 20 million in total, and found fewer than 40 crashes in IE 6 through IE 11 inside VGX; 13 of those happened in February, nine in March and 12 this month.
Two stood out. The first affected IE 9 running on a Windows 7 machine, which is the same setup exploited in the attacks currently in the wild. Other matching crash reports indicate possible failed exploit activity in the U.S. between March 22 and mid-April, Websense said.
The second possible vulnerability affects IE 8, the researchers said. Two different versions of IE 8 running on Windows 7 indicate a buffer overflow vulnerability is present in VGX as early as Feb. 17, Websense said.
“It is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow,” Websense said. “While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory.”
Microsoft said it will either issue and out-of-band patch for the vulnerability, or it will wait until May’s Patch Tuesday security updates to release a fix.
This is not the first time Websense has warned users about a zero day found through crash reports. In February, Websense warned that it had spotted previously unseen exploits against CVE-2013-3893, an IE vulnerability used in the Deputy Dog watering hole attacks.
Target Corp. named a veteran U.S. government adviser to lead its technology team following a massive data breach last year that enabled one of the largest credit-card thefts in corporate history.
Bob DeRodes, who was formerly a senior information technology adviser for the U.S. Department of Homeland Security, Secretary of Defense, and the Justice Department, will become Target’s chief information officer, effective May 5.
Target says it has hired a new chief information officer to help overhaul its data security systems in the wake of a massive pre-Christmas data breach.
The Minneapolis-based discounter says Tuesday it named outsider Bob DeRodes, who has 40 years of experience in information technology. He will assume oversight of the company’s technology team and operations, effective May 5.
DeRodes replaces Beth Jacob, who left in early March. Target says it is continuing its active search for a chief information security officer and a chief compliance officer.
The company also says that by early next year, its branded cards will have MasterCard’s chip-and-PIN technology.
Target is still dealing with fallout from a breach that compromised 40 million credit and debit cards between Nov. 27 and Dec. 15.
By Lauren Pollock
Target Corp. named a veteran U.S. government adviser to lead its technology team following a massive data breach
last year that enabled one of the largest credit-card thefts in corporate history.
Bob DeRodes, who was formerly a senior information technology adviser for the U.S. Department of Homeland Security,
Secretary of Defense, and the Justice Department, will become Target’s chief information officer, effective May 5.
Target also said its store-branded debit and credit cards will be enabled with MasterCard Inc.’s so-called chip and
pin technology by early next year. Existing Visa Inc. cards will be switched over to the Mastercard network.
Target’s data breach, in which 40 million credit- and debit-card numbers were stolen in the weeks before the year-
end holidays, is one of several retailer data thefts that have come to light in recent months.
The company disclosed in January that hackers had stolen such personal information as addresses and telephone
numbers of up to 70 million customers. Target later said it found that at least 12 million shoppers had both their
credit-card and some personal information stolen and the overlap is likely greater.
Former Chief Information Officer Beth Jacobs resigned in early March and was the first high-profile executive to
depart after the breach.
Mr. DeRodes’ responsibilities will include oversight of the Target technology team and operations, along with the
ongoing data security enhancement efforts and the development of Target’s long-term information technology and digital
The company is continuing its search for a chief information security officer, which would be a new position, and a
chief compliance officer.
“Establishing a clear path forward for Target following the data breach has been my top priority,” Chief Executive
Gregg Steinhafel said in a prepared statement. “I believe Target has a tremendous opportunity to take the lessons
learned from this incident and enhance our overall approach to data security and information technology.”
Target said last month that it was re-examining why its data-security team missed signs that hackers were inside
its system and has plugged some critical security gaps.
Target has said the hackers appeared to have first entered its system on Nov. 12, 2013, more than a month before
the discount retail chain’s investigators concluded that a breach had occurred.
Among the other companies that have disclosed data breaches in recent months are retailers Michaels Stores Inc. and
Neiman Marcus Group. Meanwhile, AOL Inc. on Monday said it is investigating a security incident involving unauthorized
access to a significant number of user accounts, and Microsoft Corp. said Sunday that it had discovered a flaw in
versions 6 through 11 of its Internet Explorer Web browser, as well as “limited targeted attacks” to exploit the flaw.
Write to Lauren Pollock at [email protected]
Subscribe to WSJ: http://online.wsj.com?mod=djnwires
(END) Dow Jones Newswires 04-29-140934ET Copyright (c) 2014 Dow Jones Company, Inc.