Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - September 19, 2014

Sep 19, 2014 3:49AM PDT
Home Depot estimates data on 56 million cards stolen by cybercrimnals

"Using custom malware, a group infiltrated the company's systems for five months."

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

"To protect customer data until the malware was eliminated, any terminals identified with malware were taken of out service, and the company quickly put in place other security enhancements," Home Depot said in its statement. "The hacker's method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."

Continued : http://arstechnica.com/security/2014/09/home-depot-estimates-data-on-56-million-cards-stolen-by-cybercrimnals/

Related :
56 Million Payment Cards At Risk in Home Depot Data Breach
Home Depot breach put 56 million payment cards at risk, company says

Krebs on Security:
Home Depot: 56M Cards Impacted, Malware Contained
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

Discussion is locked

- Collapse -
Apple will no longer unlock most iPhones, iPads for police,
Sep 19, 2014 6:11AM PDT
.. even with search warrants

Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information.

The move, announced with the publication of a new privacy policy tied to the release of Apple's latest mobile operating system, iOS 8, amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company — or anyone but the device's owner — from gaining access to the vast troves of user data typically stored on smartphones or tablet computers.

Continued : http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html

Related:
With iOS 8, Apple won't be able to unlock phones for the police
Despite Apple's Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone
Apple expands data encryption under iOS 8, making handover to cops moot

Also see:
Newest Androids will join iPhones in offering default encryption, blocking police
Google to turn on encryption by default in next Android version
- Collapse -
eBay redirect attack puts buyers' credentials at risk
Sep 19, 2014 6:12AM PDT

EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. [Screenshot]

The spoof site had been set up to look like the online marketplace's welcome page.

The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.

One security expert said he was surprised by the length of time taken.

Continued : http://www.bbc.com/news/technology-29241563

Related: eBay takes flak for leaving rigged iPhone listing up for 12 hours

**********************

UPDATE - eBay security flaw has existed for months

A flaw that has exposed eBay customers to malicious websites has been affecting the site since at least February, the BBC has found.

Earlier this week it was revealed how clicking on some listings automatically redirected users to the harmful sites.

EBay removed several posts, but said it was an isolated incident.

But the BBC has since found multiple listings, from multiple users, exploiting the same vulnerability.

Continued : http://www.bbc.com/news/technology-29279213

- Collapse -
Medical Records For Sale in Underground Stolen From
Sep 19, 2014 6:12AM PDT
... Texas Life Insurance Firm

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way. [Screenshot]

Continued : http://krebsonsecurity.com/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-life-insurance-firm/
- Collapse -
Yahoo slams new 'digital will' law, says users have privacy
Sep 19, 2014 6:13AM PDT
.. when they die

What should happen to your personal digital communications—emails, chats, photos and the like—after you die? Should they be treated like physical letters for the purposes of a will?

Yahoo doesn't think so. The company is criticizing new legislation giving executors charged with carrying out the instructions in a person's will broad access to their online accounts. The legislation aims to tackle the sensitive question of what to do when someone's online accounts on sites like Facebook, Google or Yahoo outlive them.

This past summer, Delaware signed into law the "Fiduciary Access to Digital Assets and Digital Accounts Act." It was modeled after legislation approved earlier by the Uniform Law Commission, a nonprofit group that drafts and lobbies for new state laws. In Delaware, the measure removes some of the hurdles that an estate attorney or other fiduciary would otherwise have to go through to gain broad access to the deceased's online accounts

Continued : http://www.pcworld.com/article/2683472/yahoo-slams-new-digital-will-law-says-users-have-privacy-when-they-die.html
- Collapse -
Google will display Android devs' physical address
Sep 19, 2014 6:13AM PDT

Developers/publishers of paid Android apps and apps that feature in-app purchases will, by the start of next month, be required to add a physical contact address to their account profile.

The address will be visible, on the app page, to all users. Until now only those who bought an app would see that particular piece of information it in their Google Wallet.

The company has already begun popping up notices about the new requirement on the developer console, Ryan Whitwam at the Android Police reports.

Continued : http://www.net-security.org/secworld.php?id=17384

- Collapse -
Critical Updates for Adobe Reader and Acrobat Released ..
Sep 19, 2014 7:15AM PDT
.. - You Can Breathe Again

@ the Lumension Optimal Security blog:

You can stop holding your breath now, the wait is over.

Adobe has released security updates for Acrobat and its PDF Reader software fixing critical vulnerabilities in its Windows and Mac software.

Last week, on Patch Tuesday, Adobe explained that although it was releasing security patches for Flash Player and AIR, it was delaying its scheduled security updates for Reader and Acrobat, because of issues that had sprung up during testing.

To be honest, it was hard not to feel grateful. After all, the last thing you want is for a vendor to push out a security update that causes conflicts and potentially creates more problems than the vulnerability it is trying to patch.

In a support advisory published on its website, Adobe gave the security updates for Adobe Reader X, Adobe Reader XI, Adobe Acrobat X and Adobe Acrobat XI its highest priority rating.

Adobe only rates security updates as "Priority 1" if it believes that the vulnerabilities it resolves are being targeted or have a high risk of being exploited in the wild.

Continued : http://blog.lumension.com/9395/critical-updates-for-adobe-reader-and-acrobat-released-you-can-breathe-again/

Related:
Critical Update for Adobe Reader & Acrobat
Adobe Reader Critical Security Update

See Grif's post: New Adobe Reader/Acrobat Version Released (Thanks, Grif!)
- Collapse -
Apple Extends Two-Factor Authentication to iCloud
Sep 19, 2014 7:16AM PDT

Apple finally has enabled two-factor authentication for its iCloud storage service, more than a year and a half after the company first turned the protective measure on for iTunes purchases and Apple ID.

The extension of 2FA-which Apple calls two-step verification-to iCloud comes two weeks after the company faced public scrutiny for the security of its iCloud service in the wake of the publication of photos belonging to dozens of celebrities. The attack initially was thought to have been a breach of iCloud itself, but Apple officials said there were no indications of a compromise of iCloud. Instead, the company said it was the result of a "very targeted attack on user names, passwords and security questions".

On Tuesday, Apple sent an email to users informing them that the 2FA system it employs for iTunes and Apple ID is now enabled for iCloud.

Continued : http://threatpost.com/apple-extends-two-factor-authentication-to-icloud/108323

Related : Apple adds two-step verification for iCloud

- Collapse -
Beware Apple ID phishing and free iPhone 6 scams
Sep 19, 2014 7:16AM PDT

Graham Cluley @ the Foursys Blog:

In the next few days, those people who have been queueing outside Apple stores in their pyjamas or were lucky enough to survive the avalanche of online pre-orders, will have their paws on a shiny new Apple iPhone 6 or its big brother, the iPhone 6 Plus.

As normal, demand is likely to outstrip supply - at least for a while. And even though you are going to get more square millimetres for your buck than ever before, Apple's smartphones remain an expensive purchase.

So it's not going to be any surprise at all to find folks wanting to get their hands on a brand new iPhone 6 without having to reach deep into their pockets. And that, naturally, is an opportunity for online criminals and fraudsters.

Continued : https://www.foursys.co.uk/Pages/Article/beware-apple-id-phishing-and-free-iphone-6-scams

- Collapse -
The Apple phish are flying
Sep 19, 2014 8:28AM PDT

After a week of big Apple news it's no surprise that the authors of phishing emails would focus on Apple, and that appears to be what has happened. I have received one myself and read reports of others.

The Internet Storm Center at the SANS Institute reports on one using the "your account is about to expire" hook. The language is awkward and confusing, so even if you missed on any technical clues that it was illegitimate, reading carefully should arouse suspicion. What does this actually mean, other than "click the link"?

"We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access."

Continued : http://www.zdnet.com/the-apple-phish-are-flying-7000033879/

- Collapse -
Large malvertising campaign under way involving ...
Sep 19, 2014 8:28AM PDT
.. DoubleClick and Zedo

"Malwarebytes Unpacked" Blog:

Earlier today, we warned people that both The Times of Israel and The Jerusalem Post were affected by a malvertising attack.

It appears that this is a much larger and ongoing campaign that is affecting a number of other popular websites.

The reason this is really big is because it involves doubleclick.net (a subsidiary of Google for online ads) and Zedo (a popular advertising agency). [Screenshot]

The latest victim of this campaign is last.fm, the popular music streaming site: [Screenshot]

Continued : https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
- Collapse -
https://yourfakebank.support -- TLD confusion starts!
Sep 19, 2014 8:28AM PDT

From the InfoSec Handlers Diary Blog :

Pretty much ever since the new top level domain (TLD) ".biz" went online a couple years ago, and the only ones buying domains in this space were the scammers, we kinda knew what would happen when ICANN's latest folly and money-grab went live. It looks like a number of the "new" top level domains, like ".support", ".club", etc have now come online. And again, it seems like only the crooks are buying.

We are currently investigating a wave of phishing emails that try to lure the user to a copy of the Bank of America website. The main difference, of course, is that any login credentials entered do not end up with Bank of America, but rather with some crooks, who then help themselves to the savings. [Screenshot]

Phishing emails per se are nothing new. But it appears that URLs like the one shown in the phishing email above have a higher success rate with users. I suspect this is due to the fact that the shown URL "looks different", but actually matches the linked URL, so the old common "wisdom" of hovering the mouse pointer over the link to look for links pointing to odd places .. won't help here.

But wait, there's more!

Continued : https://isc.sans.edu/diary/https%3Ayourfakebank.support+--+TLD+confusion+starts!/18651

TLDs-related: Malicious activity observed in new Top-level domains

- Collapse -
Microsoft kills off its Trustworthy Computing Group
Sep 19, 2014 9:07AM PDT

Microsoft's Trustworthy Computing Group is headed for the axe, and its responsibilities will be taken over either by the company's Cloud & Enterprise Division or its Legal & Corporate Affairs group.

The disbandment of this highly regarded company initiative has yet to be announced publicly by the company, and the group's website doesn't sport any notice, but according to Geekwire's Todd Bishop, the decision has been made.

The change is, ostensibly, due to a decision to try to integrate the Trustworthy Computing work into Microsoft's engineering teams, and it's part of the reorganization efforts the company has been doing in the wake of the latest round of layoffs they planned for this year. According to a company spokesman, an unspecified number of jobs from the group will be cut.

Continued : http://www.net-security.org/secworld.php?id=17385

Related:
Era Ends With Break Up of Trustworthy Computing Group at Microsoft
Microsoft reorgs its Trustworthy Computing group; cuts some staff
Blood-crazed Microsoft axes Trustworthy Computing Group