October 19th, 2009

Commonwealth fined $100k for not mandating antivirus software

Posted by Dancho Danchev @ 8:11 am

Categories: Anti Virus, Botnets, Browsers, Data theft, Hackers, Malware, PCI, Passwords, Pen testing, Privacy, Rootkits

Tags: Electronic Banking, Antivirus Software, Commonwealth Financial Network, Banking, Security, Viruses And Worms, Financial Services, Dancho Danchev

According to a recently published SEC cease-and-desist order, the Commission has recently fined Commonwealth Financial Network $100,000, for not mandating antivirus software on the computers of its representatives, leading to a security incident which took place in November 2008, allowing the cybercriminal behind the attack to place eighteen unauthorized purchase orders, resulting in $523,000 of unauthorized purchases.

Despite Commonwealth’s brisk reaction which greatly minimized the financial impact of the compromised accounts, the incident took place shortly after a representative contacted the IT Help Desk indicating a malware infection might have taken place without receiving “follow-up” attention:

Read the rest of this entry »

August 19th, 2009

Radisson Hotels report significant data breach

Posted by Ryan Naraine @ 12:22 pm

Categories: Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Hackers, Malware, PCI, Patch Watch, Responsible disclosure, Spyware and Adware

Tags: Debit Card, Radisson Hotels & Resorts, Financial Services, Ryan Naraine

Add the Radisson Hotels & Resorts chain to the growing list of businesses reporting significant data breaches that exposed sensitive customer data.

In an open letter to guests, Radisson chief operating officer Fredrik Korallus said the hotel chain’s computer system was hacked between November 2008 and May 2009 and customer data, including credit and debit card numbers, was stolen.

Read the rest of this entry »

July 20th, 2009

Some important truths about pen-testing

Posted by Ryan Naraine @ 9:51 am

Categories: Arbitrary Code Execution, Complex Attacks, Contributors, Data theft, Exploit code, Malware, PCI, Pen testing, Vulnerability research

Tags: Process, Security, Penetration Testing, IT Security, Information Technology, Organization, Ryan Naraine

Guest editorial by Alberto Soliño

Penetration testing is a highly scientific, metrics-driven approach to IT security that has been in practice since almost the dawn of the modern computing era when programmers first began conducting organized tests, or “hacks” of their own, or others’ technologies to test their performance and reliability.

From nearly the start, as developers attempted to assess the tolerance levels of their technologies to different forms of input, and some user organizations, including governments, did the same, they realized that this process was helpful not only in terms of allowing them to design more stable products, but also in securing these technologies to prevent them from being broken or improperly accessed.

Read the rest of this entry »

May 8th, 2009

Heartland says malware breach cost $12.6 million

Posted by Ryan Naraine @ 7:26 am

Categories: Anti Virus, Arbitrary Code Execution, Data theft, Exploit code, Malware, PCI, Responsible disclosure, Spyware and Adware, Zero-day attacks

Tags: Bank, Payment, Malware, Intrusion, MasterCard International, Heartland, Financial Services, Viruses And Worms, Security, Ryan Naraine

The data breach at Heartland Payment Systems cost the company a whopping $12.6 million in legal costs and fines from Mastercard and Visa.

Heartland, a publicly traded company that provides bank card payment processing services to merchants in the U.S., made the disclosure less than four months after confirming a malware intrusion that compromised data that crossed its network.

Read the rest of this entry »

April 29th, 2009

Online broker CommSec criticised for weak passwords, lack of SSL

Posted by Dancho Danchev @ 8:42 am

Categories: Anti Virus, Browsers, Hackers, PCI, Passwords, Privacy

Tags: Password, Flaw, SSL, Online Broker, CommSec, Password Best Practice, Security, Dancho Danchev

In times when vendors are vertically integrating by offering virtual keyboards for secure Ebanking, and banks themselves are requiring end users to run antivirus software if they were to file a fraud claim, others are busy fixing security design flaws.

Earlier this month, a Melbourne based computer programmer discovered that the 1.7m customers of Australia’s largest online broker CommSec, have been using the site’s services through outdated password best practices, providing them with the option to use a basic numeric password, which is logically increasing the potential effectiveness of brute forcing attacks.

CommSec introduced password best practices once Australia’s Herald Sun approached the company, following two dismissed calls from the programmer:

Read the rest of this entry »

January 20th, 2009

Heartland finds malware in bank card payment system

Posted by Ryan Naraine @ 11:29 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Malware, PCI, Passwords, Pen testing, Responsible disclosure

Tags: Bank, Payment, Malware, Fraud Operation, Spyware, Adware & Malware, Cyberthreats, Operational Accounting, Viruses And Worms, Financial Services, Security

Heartland Payment Systems, a publicly traded company that provides bank card payment processing services to merchants in the U.S., has suffered a malware breach that may be linked to a “widespread global cyber fraud operation.”

In a statement (see Adam O’Donnell’s coverage), the company said its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached last year but insists that customer and merchant data was not affected.   From the statement:
Read the rest of this entry »

December 1st, 2008

'Dumbing down' the security profession

Posted by Ryan Naraine @ 2:02 am

Categories: Complex Attacks, Contributors, Hackers, PCI, Pen testing, Punditocracy, Research, Vulnerability research

Tags: Analysis Tool, Vulnerability, Analysis, Tool, Productivity, Security, Ryan Naraine

* Ryan Naraine is traveling.

Guest editorial by Shyama Rose

The market for the development and implementation of source code analysis (static and dynamic) tools is swelling. Companies are increasingly relying on source code analysis tools to identify security-related vulnerabilities. The demand and reliance upon sophisticated automated solutions is greater than the supply of quality tools. Due to the underdevelopment and immature nature of tools and the nature of the industry, the risk of highly complex vulnerabilities left unidentified and unmitigated is high.

Code analysis tools should be used as guidelines or preliminary benchmarks as opposed to definitive software security solutions.

Read the rest of this entry »

July 2nd, 2008

PCI-DSS 1.1 points to outdated OWASP Top 10

Posted by Nathan McFeters @ 10:12 am

Categories: McAfee, PCI

Tags: XSS, PCI, Security, Storage, Hardware, Nathan McFeters

OK, I’m not going to freak out about this too bad… I’ve already pointed out enough problems with PCI, but I did find it morbidly entertaining.  My good friend Jeremiah Grossman (pictured at right) blogged today about the PCI-DSS 1.1 section 6.5, which covers “prevention of common coding vulnerabilities in software development processes”, and noted that it actually is identical to the OWASP Top Ten from 2004.  Argh… the latest version is from 2007.

Here’s the PCI-DSS list (which is actually OWASP Top 10 from 2004):

Read the rest of this entry »

July 1st, 2008

McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

Posted by Nathan McFeters @ 10:40 pm

Categories: McAfee, PCI

Tags: McAfee Inc., Organize-It, PCI, Phishing, Cyberthreats, Marketing Research, Storage, Hardware, Security, Spam And Phishing

Stay with me here readers, I’m stringing two stories about McAfee together here, a little out of the ordinary, so I hope it makes sense.  If you aren’t interested in the tech details (of which there are very little), please do read for a good laugh.

Network World reported that McAfee conducted an experiment into what would happen if computer users really did respond to all those spam emails and click all those free virus scan popups.  The experiment, called S.P.A.M. (Spam Persistently All Month) took 50 volunteers, both male and female, from numerous countries and tried to determine what would really happen.  Of course, the end result will be exactly what you’d expect, but hey, I’m game for an experiment, and the volunteers get free computers, so let’s read on!

Read the rest of this entry »

May 30th, 2008

Obama looking for help thwarting Web site hackers

Posted by Ryan Naraine @ 3:40 pm

Categories: Arbitrary Code Execution, Browsers, Hackers, Java, Open source, PCI, Passwords, Patch Watch, Vulnerability research, Zero-day attacks

Tags: Web, Network, Web Site, Hacker, Web Site Development, Security, Hacking, Network Security, Networking, Web Technology

On the heels of last month’s embarrassing site breach that allowed a hacker to redirect traffic from BarackObama.com to Hillary Clinton’s Web site, the Obama campaign is looking to hire a network security expert to lock down its online operations.

According to this job listing, the campaign is offering a salaried position on its Boston, Mass.-based development team to work through the election in November to handle all aspects of online security.

[ SEE: Obama site hacked; redirected to HillaryClinton.com ]

Some responsibilities:

1. Analyzing the network architecture for the My.BarackObama website
2. Leading an overhaul of existing security systems and architecture, including policy, firewall, VPN, and networking equipment
3. Developing a strategy for responding to hack attempts, DDoS attacks, and other potential threats
4. Establishing and managing the security posture of the online campaign My.BarackObama

The Obama campaign is looking for someone with a deep understanding of the LAMP (Linux, Apache, MySQL and Perl/Python/PHP) stack, experience with firewall and VPN products and knowledge of the state of the Internet security landscape.

Last month, hackers exposed several cross-site scripting and script injection flaws on the BarackObama.com site to  HillaryClinton.com.  Some examples of the vulnerabilities have been posted to the xssed.com portal.