Home Depot contains malware, but not before 56 million cards were impacted.

A few weeks ago, there were evidence that Home Depot had a security breach when credit cards were put up for sale on a black market website. This was already covered by this blog in this post. Since then, Home Depot has not only confirmed a breach, but that it had existed from April to September 2014. The release also tells that the malware was found in American and Canadian stores installed in the self-checkout machines, and have been removed from use. There were no signs of data breaches in normal checkout machines, Mexican stores, American or Canadian online websites. Despite card information being compromised, there were no signs that PIN numbers were recorded. Home Depot has also finished installing enhanced encryption in U.S stores on September 15 and Canadian stores are expected to be finished in early 2015. The breach was closed but after 56 million cards were affected. The malware used in this breach was reported to not have been seen in other attacks, however there are signs that this breach was done by the same group of hackers responsible for Target last year. According to Krebsonsecurity.com, the thieves were stealing card information up to five days after first signs of the breach on September 2nd. As of September 22, 2014, Home Depot holds the record for the largest retail card breach. Second place goes to TJX with 45.6 million cards and third place goes to Target with 40 million.

-David Mauriello


Data Encryption to be Enabled by Default in Anroid L

Since 2011, Google’s smartphone operating system, Android, has given users the option to encrypt the data on their devices. Encrypting your Android device prevents anyone without your set password from reading the information stored on your device if they manage to break in or intercept any data. Very few people know about the existence of this feature, and fewer still even enable it. However, Google recently announced that their next, upcoming version of Android, currently known as Android L, will have this feature enabled by default. This announcement came shortly after Apple’s announcement that they would be expanding security for its iCould storage system, which was recently breached and resulted in several nude photos of various celebrities being leaked. The moves made by both companies help to ensure the protection of the privacy of their users. Slated to be released in October, Android L will require users to create a password during the activation process in order to automatically set up device encryption before any data can be accessed. This means that users will no longer have to worry about any of their information, pictures, videos, communication, and any other data becoming exposed to those with malicious intent, and they also will not have to think about remembering to turn on this feature.


Source: http://www.techtimes.com/articles/15978/20140921/data-encryption-will-be-default-in-android-l-to-keep-out-snoopers.htm

iCloud Hacked: Celebrity Photos Leaked to the World

On August 31 approximately 200 private pictures of various celebrities were posted to 4chan.  Users of 4chan spread the pictures to other social networks and websites such as Imgur, Reddit, and Tumblr. McKayla Maroney, the Olympic gold medalist is among the group of people who had their photos released to the public.  The pictures released of her are underage.  That is classified as possession and distribution of child pornography.  Twitter user @IgnacioGordo tweeted a link featuring a countdown clock that threatens to release photos of Emma Watson and at the bottom of the page it states, “Never forget, the biggest to come thus far.”  Apple’s iCloud service is believed to have been breached and that is how the hackers acquired personal videos and photos.  Apple later confirmed that the hackers gathered the photos from iCloud and reassured that the service itself is not vulnerable.  Very targeted attacks were used to steal account information such as passwords.  The gathered information along with time allowed the hackers to break in.  Apple has stated that they are working with the FBI to locate and charge those responsible for the leak.

Cross-Site Scripting at ebay.co.uk

Recently a cross-site scripting vulnerability at ebay.co.uk left users susceptible to an attack that attempted to steal their credentials when clicking on links within a listing offering. For such a big corporation to not be blocking this type of vulnerabilities is really appalling to some security experts as this is not a new type of vulnerability.

The XSS attack used JavaScript embedded within the listing, and if the user clicked on the malicious link and the script was able to execute (e.g. the user wasn’t using NoScript for example) it would redirect them to a site that looks like eBay requesting their login information. The site of course was a fake setup to harvest user credentials.

The BBC reports that it found at least three separate listings using the malicious JavaScript. Furthermore, it took eBay approximately 12 hours to take down the pages after first being alerted of the problem by one user. The number of affected users is undetermined but given the response time one might assume that the number could be quite high.

Source: http://www.databreachtoday.com/ebay-stumbles-over-old-school-attack-a-7333/op-1