Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - November 26, 2014

Nov 26, 2014 3:28AM PST
Home Depot hit with "at least 44 civil lawsuits" due to data breach

"Home Depot...not encrypting the data at all, or using lax encryption standards."

Home Depot announced that it is facing "at least 44 civil lawsuits" in the United States and Canada stemming from 56 million customers' data being stolen and exposed earlier this year.

According to the disclosure, which was published Tuesday as part of the company's quarterly earnings report, "We are also facing investigations by a number of state and federal agencies. These claims and investigations may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines."

One of the lawsuits, a proposed class-action suit filed in late September in federal court in San Francisco, alleged that Home Depot "failed to properly encrypt its customers' data in violation of the [Payment Card Industry Data Security Standard]." That same month, former Home Depot security employees told The New York Times that the company repeatedly ignored warnings and undertook poor security for years.

Continued : http://arstechnica.com/tech-policy/2014/11/home-depot-hit-with-at-least-44-civil-lawsuits-due-to-data-breach/

Related : Home Depot Breach Cost Company $43 Million in Third Quarter

Discussion is locked

- Collapse -
Sony Pictures hackers may have gotten inside help
Nov 26, 2014 4:33AM PST

After yesterday's huge hack on Sony Pictures that seemed like something straight out of a bad 90s movie, the attackers have revealed a little more information on the events. In an email response to The Verge, the hackers write:

"We Want equality [sic]. Sony doesn't. It's an upward battle".

That doesn't exactly give us much to work with, but the hackers (who call themselves 'GOP') did direct a tweet at Sony Entertainment CEO Michael Lynton via Starship Trooper's Twitter account yesterday, calling him and the rest of Sony "criminals."

According to the Verge, the hackers claimed they we able to infiltrate the company by working "with other staff with similar interests" because "Sony doesn't lock their doors, physically," which may imply the hackers were able to penetrate the company's servers with help from persons with access to Sony's internal servers.

Continued : http://thenextweb.com/insider/2014/11/25/sony-pictures-hackers-broke-help-employees/

Related :
Sony Pictures breached - or was it?
Sony hack: Firms must learn from its mistakes

Prior Post: Sony Pictures hacked, entire computer system reportedly unusable

- Collapse -
Google Launches New Security Dashboard
Nov 26, 2014 4:33AM PST

Google launched a "Devices and Activity Dashboard" to offer users more control over which devices connect to their Google accounts and prevent unauthorized access, according to a company blog post. [Screenshot]

The dashboard provides a snapshot of the devices that connect to the user's Google account, along with details including the last time their account was accessed, the location and the web browser used. This list stays up to date for 28 days.

Users can also check for suspicious account activity. If they notice something out of the ordinary, they can click "Secure your account" to change the account password, update recovery information, check app passwords and account permissions, or alter two-step verification settings.

Continued: http://www.hotforsecurity.com/blog/google-launches-new-security-dashboard-10890.html

- Collapse -
Adobe Releases Emergency Flash Player Patch
Nov 26, 2014 4:33AM PST

Adobe today revised a security bulletin it released more than a month ago, adding a patch for a code-execution vulnerability in Flash Player already included in some exploit kits.

French researcher Kafeine found the exploits in the Angler and Nuclear kits less than a week after Adobe released an update Oct. 14.

The update addressed three CVEs, all of which could lead to memory corruption or integer overflows, enabling attackers to remotely load and execute code on the compromised computer. Today's patch adds CVE-2014-8439, reported by Kafeine to Adobe.

Continued : http://threatpost.com/adobe-releases-emergency-flash-player-patch/109623

Related :
Adobe Pushes Critical Flash Patch
Adobe tries again to fix Flash vulnerability
Adobe urges users to implement critical out-of-band Flash Player update

See stickie: Adobe Flash Player Critical Security Updates (APSB14-26)

- Collapse -
Cheap Android tablets riddled with security flaws, test find
Nov 26, 2014 4:34AM PST

Cheap clone Android tablets of the sort that crowd the shelves of many bricks-and-mortar US stores are often riddled with dangerous but hidden security flaws, a test by Bluebox Security has found.

The firm's motivation for carrying out the test of a dozen popular tablets was to advertise the capabilities of its own Trustable assessment tool, but what it found suggests there is still plenty to worry about.

The problem, of course, is that tablet reviews rarely mention security beyond what comes with Android itself because it's hard to know whats going on at a low level. And yet there are many places where it can fall down badly without the user or buyer realising.

Continued : http://news.techworld.com/security/3588762/cheap-android-tablets-riddled-with-security-flaws-test-finds/

- Collapse -
Oops: After Threatening Hacker With 440 Years,
Nov 26, 2014 4:37AM PST
... Prosecutors Settle for a Misdemeanor

Thanks in part to America's ill-defined hacking laws, prosecutors have enormous discretion to determine a hacker defendant's fate. But in one young Texan's case in particular, the Department of Justice stretched prosecutorial overreach to a new extreme: about 440 years too far.

Last week, prosecutors in the Southern District of Texas reached a plea agreement with 28-year-old Fidel Salinas, in which the young hacker with alleged ties to members of Anonymous consented to plead guilty to a misdemeanor count of computer fraud and abuse and pay $10,000 in restitution. The U.S. attorney's office omitted one fact from its press release about that plea, however: Just months ago, Salinas had been charged with not one, but 44 felony counts of computer fraud and cyberstalking—crimes that each carry a 10-year maximum sentence, adding up to an absurd total of nearly a half a millennium of prison time.

Continued : http://www.wired.com/2014/11/from-440-years-to-misdemeanor/
- Collapse -
5 scams to watch out for this Black Friday and Cyber Monday
Nov 26, 2014 4:44AM PST

Millions of shoppers will be searching for online bargains over the next week.

Retailers hope that by offering deals on big ticket items like computers and TVs, shoppers will rise from the couch and their turkey-induced torpor and get out to their stores on Black Friday.

And for those not interested in getting out of the house, retailers have in recent years also extended the bargain shop-a-thon with online deals on Cyber Monday.

But the traditional kickoff to the holiday shopping season is unfortunately also a good time for cybercriminals, scam artists and conmen to gear up their activities in order to make a quick buck from unsuspecting shoppers.

Here are five of the biggest online scams you should watch out for.

Continued : https://nakedsecurity.sophos.com/2014/11/25/5-online-scams-to-watch-out-for-this-black-friday-and-cyber-monday/

Also see : DHS, FBI sound alert on holiday cyber scams

- Collapse -
Privacy bods Detekt FinFisher dressed as bookmark manager
Nov 26, 2014 6:30AM PST

"Government spyware-spotting project Detekt scores in first week of release"

The Detekt privacy tool has discovered the FinFisher law enforcement spyware masquerading as a benign bookmark manager.

Detekt was launched last week and offers users of Windows systems to inspect their machines for traces of known government spyware.

FinFisher developed by Gamma Group International was sold to authorities including Australia's NSW police; Belgium; the Netherlands; Singapore, Hungary and Italy.

Developer Claudio Guarnieri said on Twitter the tool discovered the malicious toolkit masquerading as the benign software noting that an unknown user uploaded the file to the Virus Total analysis engine. [Screenshot] [...]

The malware was signed with a Comodo certificate signed by 'Jagdeependra' and not the author of the bookmark manager Outertech, prompting the latter to take to Twitter to inform customers to download its wares from its official website.

Continued : http://www.theregister.co.uk/2014/11/26/privacy_bods_detekt_finisher_dressed_as_bookmark_manager/

Prior Post : Privacy advocates release free 'Detekt' tool that finds surveillance malware

- Collapse -
Skimmer Innovation: 'Wiretapping' ATMs
Nov 26, 2014 6:30AM PST

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called "wiretapping" device that is inserted through a tiny hole cut in the cash machine's front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM's internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by "wire-tapping" or "eavesdropping" on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks. [Screenshot]

"The criminals cut a hole in the fascia around the card reader where the decal is situated," EAST described in a recent, non-public report. "A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal" [pictured, bottom right].

Continued : http://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/