Home Depot Credit Card Breach

Security analysts have discovered a large batch of credit cards posted onto a credit card resale website called rescator . Rescator [dot] cc is a website hosted in Russia for the purpose of selling stolen credit card information. The website lists batches of stolen data including information about where they were stolen from. The origin is used by the buyers so the card can be used in the same area of where the card is registered thus being less likely to be flagged as suspicious. Krebs on Security – a reputable cyber security blog – has taken the zip codes of the credit card batch and has found a 99% overlap with home depot locations. The high overlap suggests a strong likelihood that the source of the cards is from home depot. Home depot has yet to acknowledge that there has been a breach. Home depot has however, stated that they are currently investigating a potential breach. Home depot stated “If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers.” leading many to believe that a breach has occurred. It is estimated that the breach occurred 3 to 4 months ago, yet it was only discovered once the information was put up for sale. There is speculation that this breach could effect more people than the notorious 2013 target breach as it effects all home depot locations. Latest reports state that the malware utilized in the attacks is an updated variant of the “blackpos” malware used to siphon credit cards from target points of sale in 2013.

-Ian Stubenbord

Source: http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

http://krebsonsecurity.com/2014/09/data-nearly-all-u-s-home-depot-stores-hit/

https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspx

Smartphone Gyroscope Able to Record Some Recognizable Speech Without Permissions

  Stanford researchers have been investigating the possibility of using a smartphone’s gyroscope to record audio – without having microphone access permissions.  In other words, the gyroscope sensor in your phone that is used to detect angular velocity is sensitive enough to capture certain lower frequencies of sound.  This means that it could be used, without your knowledge, to record and analyze conversations.  From this, it is feasible that sensitive private information could be extracted such as social security numbers, credit card numbers, and more.  

  Using specially crafted algorithms to filter the sound captured by the gyroscope, which is normally incomprehensible to human ears, the researchers have managed to correctly interpret spoken digits with an alarming success rate (up to 65%).  This means that any sensitive information that is spoken out loud in the vicinity of a smartphone equipped with one of these sensors is susceptible to being recorded and correctly interpreted by a malicious application.  Since access to a phone’s gyroscope is not restricted in the way that the microphone is, these applications could operate and steal your information without you ever knowing.

 

by David Grzebinski

 

Sources:

http://phys.org/news/2014-08-snooping-gyroscope-usenix.html

http://crypto.stanford.edu/gyrophone/

https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/michalevsky

 

Chinese Authority Intercepts Information Between Google and CERNET

        In China they have many large websites / search engines blocked for the use of their citizens such as Google. But seeing the value that Google presents the Government set up a nation wide system called CERNET (Chinese Education and Research Network) to allow students, teachers and researchers to access the resources Google can provide. In recent weeks students and teachers that use CERNET have reported that their searches have returned with errors such as “Invalid SSL certification”. The company in charge of CERNET’s security is called GreatFire. After they had shared their findings with another security based software company named Netresec, they concluded that these attacks are similar if not identical to the Man in the Middle attacks the Chinese government used on GitHub (A developer site) last winter. Upon looking into the mater with more detail they have found that the Chinese government was using these “MitM” attacks to get into the CERNET system and block “Harmful” search inquires.

Here is the article where I got my Information:

http://thehackernews.com/2014/09/government-accused-of-intercepting.html

Twitter pays bounties for vulnerabilities

Recently Twitter has stated on HackerOne that they will pay people a fee for finding vulnerabilities in there website, their app, or anything that could threaten Twitter. People have to register with HackerOne and submit their vulnerability so it can be reviewed to see if it will qualify as a legitimate threat. The minimum bounty is 140$, there is no maximum and bounties will be determined based on the significance of the vulnerability. To submit a vulnerability you must go through the HackerOne website and their process, from there Twitter will determine how to reward you.

Common vulnerabilities include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Tweets
  • Unauthorized Access to DMs

Vulnerabilities not included:

  • Issues related to software or protocols not under Twitter control
  • Reports from automated tools or scans
  • Reports of spam
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Twitter staff or contractors
  • Any physical attempts against Twitter property or data centers

So far 71 people have submitted bugs and been rewarded.

This a good move by the company to help keep there business safe, people can do this legally and get paid for it, so it helps take away some of the motive for people doing it beforehand. It’s still in its beginning stage, so there’s no telling if this will turn out to be a good or a bad thing. We will have to sit back and watch.

https://hackerone.com/twitter

 

posted by,

Cameron Clark