Tag: security

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. “Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities, ” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates.” The hotel chain said the incident affected payment card information — cardholder name, card number, expiration date and internal verification code — from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved. Read more of this story at Slashdot.

Continue Reading:
Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries

Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say

To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what’s called an “entitlement” — a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store. “It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature, ” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.” Read more of this story at Slashdot.

Visit link:
Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ

An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer, which hackers working for the Russian government exploited to steal the documents, the WSJ reported on Thursday (the link could be paywalled; alternative source), citing multiple people with knowledge of the matter. From the report: The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter. Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said. Ahead of the publication of WSJ report, Kaspersky founder Eugene Kaspersky tweeted, “New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats.” Read more of this story at Slashdot.

More:
Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ

An alarming number of patched Macs remain vulnerable to stealthy firmware hacks

Enlarge (credit: Autobahn ) An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded. The exposure results from known vulnerabilities that remain in the Extensible Firmware Interface, or EFI, which is the software located on a computer motherboard that runs first when a Mac is turned on. EFI identifies what hardware components are available, starts those components up, and hands them over to the operating system. Over the past few years, Apple has released updates that patch a host of critical EFI vulnerabilities exploited by attacks known as Thunderstrike and ThunderStrike 2 , as well as a recently disclosed CIA attack tool known as Sonic Screwdriver . An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. Forty-seven Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version. Read 11 remaining paragraphs | Comments

See the original article here:
An alarming number of patched Macs remain vulnerable to stealthy firmware hacks

Nestle Makes Billions Bottling Water It Pays Nearly Nothing For

Nestle, the world’s largest food and beverage company, has been bottling water since 1843 and has grown into the largest seller of bottled water. But a detailed report on Bloomberg uncovers the company’s operation in Michigan, revealing that Nestle has come to dominate in the industry in part by going into economically depressed areas with lax water laws. It makes billions selling a product for which it pays close to nothing. Find the Bloomberg Businessweek article here (it might be paywalled, here’s an alternative source). Read more of this story at Slashdot.

View post:
Nestle Makes Billions Bottling Water It Pays Nearly Nothing For

iOS 11 Released

Today, Apple released the final version of iOS 11, its latest mobile operating system. If you have an iPhone or iPad that was released within the last few years, you should be able to download the new update if you navigate to the Settings panel and check for a software update under the General tab. The Verge reports: OS 11, first unveiled in detail back at Apple’s WWDC in June, is the same incremental annual refresh we’ve come to expect from the company, but it hides some impressive complexity under the surface. Not only does it add some neat features to iOS for the first time, like ARKit capabilities for augmented reality and a new Files app, but it also comes with much-needed improvements to Siri; screenshot capture and editing; and the Control Center, which is now more fully featured and customizable. For iPads, iOS 11 is more of an overhaul. The software now better supports multitasking so you can more easily bring two apps into split-screen mode, or even add a third now. The new drag-and-drop features are also much more powerful on iPad, letting you manage stuff in the Files app more intuitively and even letting you drag and drop photos and text from one app to another. Read more of this story at Slashdot.

Read More:
iOS 11 Released

Equifax CEO Hired a Music Major as the Company’s Chief Security Officer

Susan Mauldin, the person in charge of the Equifax’s data security, has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin’s LinkedIn profile lists no education related to technology or security. If that wasn’t enough, news outlet MarketWatch reported on Friday that Susan Mauldin’s LinkedIn page was made private and her last name was replaced with “M”, in a move that appears to keep her education background secret. Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. On Friday, the UK arm of the organisation said files containing information on “fewer than 400, 000” UK consumers was accessed in the breach. Read more of this story at Slashdot.

View the original here:
Equifax CEO Hired a Music Major as the Company’s Chief Security Officer

Backdoor Found In WordPress Plugin With More Than 200,000 Installations

According to Bleeping Computer, a WordPress plug that goes by the name Display Widgets has been used to install a backdoor on WordPress sites across the internet for the past two and a half months. While the WordPress.org team removed the plugin from the official WordPress Plugins repository, the plugin managed to be installed on more than 200, 000 sites at the time of its removal. The good news is that the backdoor code was only found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2), so it’s unlikely everyone who installed the plugin is affected. WordPress.org staff members reportedly removed the plugin three times before for similar violations. Bleeping Computer has compiled a history of events in its report, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence. The report adds: The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites. Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase. A month after buying the plugin in May, its new owner released a first new version — v2.6.0 — on June 21. Read more of this story at Slashdot.

See the original post:
Backdoor Found In WordPress Plugin With More Than 200,000 Installations

Equifax Had ‘Admin’ as Login and Password in Argentina

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the “admin/admin” password combination. Read more of this story at Slashdot.

See the original post:
Equifax Had ‘Admin’ as Login and Password in Argentina

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm’s source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It’s also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines — some of which have since been retracted — all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it’s problematic from a technical point of view. In case you haven’t noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax’s own data breach detector isn’t just useless: it’s untrustworthy. Adding insult to injury, the credit agency’s advice and support site looks, at first glance, to be a bogus, phishing-type site: “equifaxsecurity2017.com.” That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax’s technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. “It’s possible that the hackers found the hole on their own, but zero-day exploits aren’t that common, ” reports ZDNet. “It’s far more likely that — if the problem was indeed with Struts — it was with a separate but equally serious security problem in Struts, first patched in March.” The question then becomes: is it the fault of Struts developers or Equifax’s developers, system admins, and their management? “The people who ran the code with a known ‘total compromise of system integrity’ should get the blame, ” reports ZDNet. Read more of this story at Slashdot.

View post:
Equifax Blames Open-Source Software For Its Record-Breaking Security Breach