Archive for July, 2014

UPDATE 4-Target names outsider as CEO after data breach


* Target appoints Pepsi executive Brian Cornell as CEO

(Adds analysts’ comments, updates shares)

By Siddharth Cavale

July 31 (Reuters) – Beleaguered retailer Target Corp
named former PepsiCo and Wal-Mart executive Brian Cornell as CEO
and chairman as it tries to regain customer confidence following
a devastating data breach last year that hit earnings.

Cornell, the first outsider to lead Target, has his work cut
out. The company’s comparable store sales have declined in three
of the last five quarters, while store visits have fallen for
six straight quarters.

An ambitious expansion into Canada last year has stumbled.
The company opened a record 124 stores, but couldn’t keep
shelves full due to delivery bottlenecks and customers
complained of steep prices.

The No.3 U.S. retailer has also been late to embrace
e-commerce, lagging Wal-Mart Stores Inc and Amazon.com
.

From 2009 to 2012, Cornell led a turn-around at Sam’s Club,
Wal-Mart’s slowest growing business at the time.

In May 2012, he joined PepsiCo Inc to head the
company’s largest business, Americas Foods unit, which makes
Frito Lay chips and Quaker oats.

“He did a very solid job at Sam’s,” Cowen Co analyst Faye
Landes said, citing that same-store sales growth at the
membership-only stores jumped to 5.1 percent from 1.4 percent
during Cornell’s tenure.

The 55-year-old, who takes the top post at Target on Aug.
12, had been a contender to succeed PepsiCo CEO Indra Nooyi,
according to the Wall Street Journal, which reported Cornell’s
appointment earlier on Thursday. (on.wsj.com/1xCMUqk)

Before joining Sam’s Club, Cornell held the top job at arts
and crafts chain Michael’s Stores Inc for two years.

“… His experience at large retail and consumer product
goods organizations should be instrumental in guiding Target,”
Morgan Stanley analyst Simeon Gutman wrote in a note.

Under previous CEO Gregg Steinhafel, Target focused on
low-margin grocery items to entice frugal customers, turning
away from its popular home and apparel products, which gave the
company its cheap chic appeal.

“I think the bottom line now is to renew merchandise with
fresh styles,” Edward Jones analyst Brian Yarbrough said.

Refocusing on home and apparel will expand margins and widen
its customer base, helping Target avoid a price war with
Wal-Mart, Yarbrough said.

Wal-Mart gets about 60 percent of its total U.S. revenue
from selling groceries.

Steinhafel was removed in May, after Target lost nearly $1
billion in Canada in 2013 and the data breach in the key holiday
season led to the theft of at least 40 million payment card
numbers and 70 million other data.

CFO John Mulligan has led Target in the interim and will now
return full-time to his CFO duties after Cornell’s appointment.

The company’s shares were down 2 percent at $60.20 in
afternoon trading.

The stock fell 11 percent in the weeks following the breach,
but has made up for most of those losses since then to close at
$61.38 on the New York Stock Exchange on Wednesday.

(Writing by Joyjeet Das; Additional reporting by Supriya Kurane
and Arnab Sen in Bangalore; Editing by Gopakumar Warrier and
Savio D’Souza)

Article source: http://www.reuters.com/article/2014/07/31/target-ceo-idUSL4N0Q62AO20140731

,

No Comments

Irish Bookmaker Apologizes for 2010 Data Breach

Associated Press

Irish betting company Paddy Power announced Thursday it is notifying hundreds of thousands of customers that most of their profile information was stolen in 2010, but hackers did not gain their credit card details or log-in passwords.

Paddy Power defended its four-year delay in reporting the biggest security breach in the company’s history by arguing that it didn’t know most of the details until much more recently. Online security experts said the fast-growing betting firm should have alerted its customers much sooner.

The Dublin-based company said it had known since 2010 that someone tried to hack into its customers’ online accounts and monitored for any signs of fraud or theft, but found no evidence this was happening.

It said it received a tipoff in May that a Toronto-based man had an archive of Paddy Power customers’ names, usernames, addresses, emails, phone numbers, birthdates and security questions, including the mothers’ maiden names — details useful to impersonate the customers and potentially crack into their personal accounts on other sites.

The company said it secured two Canadian court orders in July ordering the man to surrender his database and permit police searches of his IT equipment and financial records. The man, who was questioned by police, has yet to be charged with any crime.

The company said it is sending emails to 649,055 customers — representing nearly 30 percent of its online gamblers in 2010 — advising them to consider changing their security question on all online accounts.

“We sincerely regret that this breach occurred and we apologize to people who have been inconvenienced as a result,” said Peter O’Donovan, managing director of online operations.

Internet security experts said Paddy Power customers could be targeted by “spear-phishers” asking them to change their passwords in hopes of receiving their new log-in credentials.

Maksym Schipka, an information security specialist at British cyber-security firm Clearswift, said the four-year failure to identify what data had been stolen suggests “a huge failure on Paddy Power’s behalf to maintain control and protection of its users’ critical information.”

But investors shrugged off the news, sending Paddy Power shares nearly 1 percent higher to 52.76 euros ($54.10) in Dublin.

Article source: http://abcnews.go.com/Technology/wireStory/irish-bookmaker-apologizes-2010-data-breach-24789223

,

No Comments

New GameOver Zeus Variant Generates 1,000 Domains Daily

The GameOver Zeus takedown was trumpeted as a victory against cybercrime, and for all its success, even those involved understood it was likely a temporary win.

Researchers at Seculert have spotted a new variant of GameOver Zeus that has spurned previous versions’ peer-to-peer communication infrastructure and has an updated domain generation algorithm (DGA).

The changes and updates have exponentially hiked up the botnet’s numbers. Where previously, GameOver Zeus was generating 1,000 new domains weekly, this version is doing that number on a daily basis, Seculert’s Adi Raff wrote in a blogpost today.

In early June, a cooperative effort between U.S. and European law enforcement and private companies such as Microsoft, Abuse.ch, CrowdStrike and others resulted in the seizure of servers used by the criminals behind the GameOver Zeus botnet, the same botnet used to distribute CryptoLocker ransomware.

GameOver Zeus was a challenge because of its decentralized architecture and command and control instructions and updates sent between bots, rather than from a single command server. At its height, the botnet was responsible for millions in financial fraud losses; a stepchild of the Zeus banking malware, it too coveted banking credentials in order to steal funds from online bank accounts.

“Having previously sinkholed GameOver ZeuS, we are able to compare the number of bots communicating with our sinkhole prior to the takedown, and those of the new variant,” Raff wrote. “In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.”

Botnet takedowns have been championed often in the past two years as success stories by the FBI, Europol and software companies most affected by botnets, such as Microsoft. Almost always, however, the criminals re-surface with a new command infrastructure and a rejuvenated zombie army of bots. For example, a little more than a month after the GameOver Zeus takedown, new spam campaigns were spotted distributing binaries built from GameOver Zeus under the guise of phony notifications from banks and other financial organizations.

Even Shylock, another strain of banking malware that was taken down on July 10 by Europol, the FBI, GCHQ and private firms including Kaspersky Lab, has resurfaced. Shylock used man-in-the-browser attacks against a list of 60 pre-determined banks to steal credentials from its victims. Seculert said today it was able to sinkhole Shylock three days after it was taken down and reports that nearly 10,000 bots reach out to the sinkhole on a daily basis.

Raff said the quick regeneration of botnets is nothing new. After Kelihos.B was taken down in 2011, Seculert said that 70,000 devices were still active in the botnet days after the seizures and communication between infected bots and command and control continued unabated. He wonders too whether takedowns are resulting in little more than a call to arms for attackers.

“We are not questioning the takedowns or discouraging future ones. Rather we are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it?” he wrote. “There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations. It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.”

Article source: http://threatpost.com/new-gameover-zeus-variant-generates-1000-domains-daily/107544

No Comments

Microsoft Releases New Version of EMET Exploit Mitigation Tool

The latest version of Microsoft’s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options.

The update to Microsoft’s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a technical preview of EMET 5.0 was released in February during the RSA Conference. It was then when Microsoft was touting new plug-in controls and memory protections, both of which have been rolled into EMET 5.0.

The first new mitigation is called Attack Surface Reduction (ASR). The mitigation allows Windows administrators to determine when—or if—plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access.

With ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet. They can also block Office applications, for example, from loading Flash in a Word or Excel document, but allow it in the browser.

“We heard from customers that they wanted more control over which programs and in which scenarios these plugins can be loaded. We initially released a Fix It tool last year to disable the Java plugin entirely in Internet Explorer and that helped people,” said Jonathan Ness, principal security development manager for the Microsoft Security Response Center. “But customers told us that they still needed Java for their line-of-business applications running on their local intranet and were looking for a way to block Java and other plugins from loading on the wider untrusted Internet.”

Microsoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming (ROP) exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.

The other new mitigation in EMET 5.0 is called Export Address Table Filtering Plus (EAF+), which introduces two new methods aimed at disrupting advanced attacks, Microsoft said.

“For example, EAF+ adds a new ‘page guard’ protection to help prevent memory read operations, commonly used as information leaks to build exploitations,” Microsoft said in a statement.

“It’s the way EMET blocks common exploit techniques, common shell code techniques.  The engineers building EMET are the same engineers in the security response center that respond to attacks in the wild against our software and these guys are always studying new attack techniques that show up in real-world exploits,” Ness said. “EAF+ amplifies the scope and robustness of EAF.  It blocks new kinds of exploit techniques by performing additional integrity checks and preventing certain memory read operations used as ‘read anywhere’ primitives in recent exploits.”

Microsoft has also tweaked the configuration options in EMET 5.0 allowing admins to further configure how mitigations protect applications in a particular IT environment.

“Users can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0,” Microsoft said. “We continue to provide smart defaults for many of the most common applications used by our customers.”

Microsoft said it has also simplified the way EMET configuration changes can be pushed via Group Policy in Active Directory.

“They will no longer need to refresh the EMET configuration on each host or wait for an application refresh to make configuration changes to all hosts via group policy,” Ness said. “Configuration changes will take effect right away with the addition of the EMET Service.”

Microsoft has also added new services that help users monitor logs for suspicious activity, and has added improvements to its Certificate Trust feature where users are able to establish settings that block users from visiting websites with untrusted digital certificates.

“All EMET users are going to benefit from the way we refactored many components of the EMET 5.0 engine to maximize application compatibility and reduce false positives, and from the work we did with popular anti-malware products to ensure application compatibility,” Ness said.

Article source: http://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mitigation-tool/107549

No Comments

New Backoff PoS Malware Identified in Several Attacks

A new breed of point-of-sale malware has been found in several recent attacks, and experts say that the tool, known as Backoff, has extensive data stealing and exfiltration capabilities, including keylogging, memory scraping and injection into running processes.

The Backoff malware doesn’t necessarily make use of any new techniques or employ innovative infection methods, but researchers at Trustwave SpiderLabs and US-CERT, who have analyzed the malware, say that it’s a serious threat. Attackers have been using the Backoff malware as the second stage of campaigns that begin with locating and then brute-forcing the credentials for remote desktop applications, often for an administrator account. Once that’s accomplished, the attackers then look for PoS devices and install the Backoff malware if possible.

Once installed on a PoS device, the malware injects a small piece of malicious code into the explorer.exe process. It has the ability to scrape memory from running processes to gather payment card track data, log keystrokes and communicate with a remote command-and-control infrastructure.

“The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,” the advisory from US-CERT says.

There are several known variants of the Backoff malware, with slightly different functionality, and researchers say the first known samples were identified in October 2013. The CC communications are done via HTTP POST requests to domains that are hardcoded into the malware. Data sent to the CC servers is encrypted.

“Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of  ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456),” the technical analysis by Josh Grunzweig of SpiderLabs says.

PoS malware isn’t a new phenomenon, but it’s an effective one. Experts say that such malware was used as part of the Target data breach last year and the researchers at SpiderLabs said they’ve seen Backoff in a number of compromise investigations recently.

Article source: http://threatpost.com/new-backoff-pos-malware-identified-in-several-attacks/107554

No Comments

Data breach at UWF

0) { %

0) { %

0) { %

Article source: http://www.pnj.com/story/news/2014/07/31/data-breach-uwf/13403929/

,

No Comments

Target has hired Pepsi executive Brian Cornell as its new chairman and CEO as …

In May, it fired the president of its Canadian operations, Tony Fisher, and replaced him with Mark Schindele, a company veteran.

Article source: http://www.thestar.com/business/2014/07/31/target_hires_pepsi_exec_to_help_it_recover_from_data_breach_canadian_troubles.html

,

No Comments

Breaking: Massive data breach at Paddy Power bookmakers

Personal details of over 649,000 customers having been stolen.

Paddy Power Chief Executive Patrick Kennedy. Inset: The bookmakers website

THERE’S been a massive data breach at gambling firm Paddy Power, with personal details of over 649,000 customers having been stolen.

‘;
}

s += ‘

Ads by Google

‘;

if (google_ads[0].bidtype == “CPC”) {
google_adnum = google_adnum + google_ads.length;
}

s += ‘

‘;
document.write(s);
return;
}

window.google_adnum = window.google_adnum || null;

google_ad_client = “ca-pub-9024837700129787”;
google_ad_output = “js”;
google_ad_type = “text”;

google_ad_channel = ‘2344944210,6682650729’;

google_max_num_ads = ‘2’;

google_skip = window.google_adnum; /* insert this snippet for each ad call */

About 120,000 of the customers are based in Ireland.

The stolen data includes personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.

The information includes names, addresses, dates of birth, and even the maiden names of mothers, which are often used to verify account details.

The stolen data does not include any personal financial information.

The 649,055 customers affected represented 29pc of Paddy Power’s total online customer base in 2010.

No customers who signed up after 2010 are impacted by the breach.

The betting group – headed up by chief executive Patrick Kennedy – has only this afternoon confirmed the huge incursion to its systems, which occurred in 2010.

But it’s not yet clear why the company has waited until now to tell consumers.

It’s believed Paddy Power was aware in 2010 that malicious activity had taken place against its systems and then completed a security audit and updated its technology infrastructure.

While Paddy Power didn’t know back then as to the extent of the infiltration, customers still weren’t told of a potential breach.

It’s understood that in May this year the company was approached by a third party who became aware that a person in Canada was in possession of personal details of Paddy Power customers.

It’s not yet known whether that person had been attempting to sell the data.

The company verified that the data had come from its system. It then commenced legal proceedings in Ontario to secure possession of computer equipment owned by the person who was holding the Paddy Power data. The company liaised with local police in Ontario. It’s understood the person was residing in Toronto.

It’s not yet clear if criminal proceedings will be initiated against the individual who was found to be in possession of the data.

The Data Protection Commissioner has been informed of the breach and Paddy Power has begun informing customers.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power. 

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.  This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure,” he added.

A spokesman for the office of the Data Protection Commissioner said the agency was “disappointed” that Paddy Power did not inform of it in October 2010 of a suspected data breach. She said that concern has already been relayed to Paddy Power.

The agency was first informed of the suspected data breach in May this year.

The Data Protection Commissioner has a code of practice that was introduced in 2010, a number of months before the suspected data breach at Paddy Power. But the code is voluntary and companies aren’t obliged to adhere to it. In 2013, the office dealt with 1,577 data security breach notifications.

The Data Protection Commissioner has no legal capacity to levy fines on entities that have had a data breach. However, Commissioner Billy Hawkes has absolute privilege in his annual report to discuss breaches. The next annual report won’t be issued until May next year.

Article source: http://www.independent.ie/business/irish/breaking-massive-data-breach-at-paddy-power-bookmakers-30474614.html

,

No Comments

Crouching Yeti APT Campaign Stretches Back Four Years

Koler popups

  • Google +1
  • Share on LinkedIn

  • Submit this to Reddit
    submit to reddit


0

Koler Ransomware Infrastructure Complex and Agile

Researchers at Kaspersky Lab report on the infrastructure supporting the Koler ransomware, which not only has components targeting Android devices, but also redirects desktop browsers to other ransomware and exploit kits.

Read more…

Article source: http://threatpost.com/crouching-yeti-apt-campaign-stretches-back-four-years/107539

No Comments

Riverside warns of data breach; ex-employee charged – The Virginian

CHESAPEAKE

Riverside Health System announced a possible data breach this week after a former employee was charged with stealing credit card information from cancer patients.

T’sha Riddick, a 33-year-old convicted felon who worked for nearly two years at one of the company’s medical practices in South Hampton Roads, was arrested last month. She is scheduled to appear on Aug. 25 in Chesapeake General District Court on 13 identity-theft and fraud charges related to her time with Cancer Specialists of Tidewater, which has offices in Chesapeake, Virginia Beach and Suffolk.

Peter Glagola, a Riverside spokesman, said the hospital system was unaware the Elizabeth City resident had been convicted nine years ago in North Carolina of two felonies, including credit card fraud.

Glagola explained that Riddick was hired as an unlicensed medical assistant, and that the company requires background checks only for licensed employees. Others are screened randomly, he said.

“This is bringing a lot of things to light,” Glagola said.

The company is now considering whether to conduct background checks on all employees.

As a precaution, Riverside is offering free credit monitoring to over 2,000 patients and all staff. Glagola explained that the number represents everyone who has gone to the practice since Riddick was hired in June 2012.

Riverside Health System oversees five hospitals, including its flagship in Newport News, Riverside Regional Medical Center. The system also has three specialty hospitals, a medical group, surgery centers, retirement communities and home-care services.

“Keeping patient information protected is vital at Riverside,” Glagola said in a news release. “We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”

Court records indicate that Riddick – a single mother of three children – also worked at Waterbrooke Assisted Living in Elizabeth City around the time of her June 6 arrest. Officials with that facility said Wednesday that she no longer worked there and did not have access to patient information when she did. They declined to give their names or elaborate.

The charges against Riddick – who was released earlier this month on a $13,000 surety bond – stem from four different dates in January, March, April and June while she worked at Cancer Specialists of Tidewater, according to court documents.

Glagola said Riddick improperly accessed patient information at the practice, including credit card and Social Security numbers. It is unclear how she obtained the information, but Glagola said Riverside does not believe she accessed it through the company’s computer systems.

Andrew Sacks, Riddick’s attorney, declined to comment on the charges.

In 2005, Riddick pleaded guilty to credit card fraud and obtaining property by false pretense in North Carolina, according to Pasquotank County court documents. The credit card conviction stemmed from Riddick’s use of another woman’s card to pay electricity and telephone bills, court documents said. She worked for Albemarle Hospital at the time, the court documents said.

In 2008, Riddick was convicted of misdemeanor theft in North Carolina, according to court records.

And, last year, she was convicted of misdemeanor possession of stolen property and three counts of misdemeanor worthless checks.

She was on unsupervised probation at the time of her most recent arrest.

Riverside patients who believe they may have been victims of the data breach should call the hospital at 1-877-753-6854.

Pilot writers Elizabeth Simpson, Amy Jeter and Jeff Hampton contributed to this report.

Scott Daugherty, 757-222-5221, [email protected]

<!–

–>

Posted to: Chesapeake Crime Health News

Article source: http://hamptonroads.com/2014/07/riverside-warns-data-breach-exemployee-charged

,

No Comments