Hackers put security tool that finds payment card data into their arsenal

May 30, 2014 – 5:19 AM

Like a crowbar, security software tools can be used for good and evil.

Bootleg versions of a powerful tool called “Card Recon” from Ground Labs, which searches for payment card data stored in the nooks and crannies of networks, have been appropriated by cybercriminals.

This month, the security companies Trend Micro and Arbor Networks published research into point-of-sale malware, which has been blamed for data breaches at retailers such as Target and Neiman Marcus, sparking concerns over the security of consumer data.

Both companies found that unauthorized copies of Card Recon had been incorporated into a malware program and a toolkit designed for finding and attacking POS terminals.

“Card Recon looks to be a useful tool when wielded by an auditor or security staff, but it is clearly dangerous in the wrong hands,” Arbor Networks wrote in its report.

Card Recon is intended for organizations seeking to comply with the Payment Card Industry’s Data Security Standard (PCI-DSS), a set of recommendations to safeguard payment card data.

The software tool scans all parts of a network to see where payment card data is stored. Often, companies find card details stashed in unlikely and unknown places. Card Recon compiles a thorough report, and companies can then move to secure the data.

Source:
http://www.pcadvisor.co.uk/news/security/3522409/hackers-put-security-tool-that-finds-payment-card-data-into-their-arsenal/

“TrueCrypt is not secure,” official SourceForge page abruptly warns

May 28, 2014 – 7:40 PM

One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn’t safe to use.

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” text in red at the top of TrueCrypt page on SourceForge states. The page continues: “This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

The advisory, which Ars couldn’t immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet’s encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.

Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.

Source:
http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/

Unencrypted cookies make WordPress accounts vulnerable over open networks

May 28, 2014 – 5:39 AM

People accessing the Internet over open WiFi networks are now vulnerable to having their WordPress webpage hijacked even with two-step authentication enabled. This new vulnerability was found by Yan Zhu, a staff technologist with the Electronic Frontier Foundation.

Zhu found that when accessing WordPress, the site sends a cookie in plain text rather than being encrypted. The cookie contains the tag “wordpress_logged_in,” which means that if a person has this cookie, WordPress will allow the user into sections of the site that will allow them to modify blogs, snoop through private messages, and more. Due to WordPress leaving this cookie unencrypted, it could be easily intercepted.

To test this, Zhu took the cookie from her own account and copied it the same way an attacker would. It logged her in without having to enter any information and it even bypassed her two-step verification. She could use the cookie to change the email address to her account, as well as set up the two-step verification if it wasn’t already. Even though Andrew Nacin, a contributor of WordPress, tweeted that this exploit could be used until the cookie expires, it will not allow the user of the intercepted file to change any passwords due to the absence of a separate cookie with the “wordpress_sec” tag, which causes it to be encrypted.

WordPress accounts that are self-hosted on a server with HTTPS support are not affected by this vulnerability. As long as every user has HTTPS enabled on their site and its cookies contain the “secure” flag, things should be fine. Users without a HTTPS enabled server should refrain from using any unsecured network when accessing their WordPress account.

Source:
http://www.neowin.net/news/unencrypted-cookies-make-wordpress-accounts-vulnerable-over-open-networks

Spotify: Important Notice to Our Users

May 27, 2014 – 6:36 PM

We’ve become aware of some unauthorized access to our systems and internal company data and we wanted to let you know the steps we’re taking in response. As soon as we were aware of this issue we immediately launched an investigation. Information security and data protection are of great importance to us at Spotify and that is why I’m posting today.

Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information. We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.

We take these matters very seriously and as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days.

As an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions. As always, Spotify does not recommend installing Android applications from anywhere other than Google Play, Amazon Appstore or https://m.spotify.com/. At this time there is no action recommended for iOS and Windows Phone users.

Please note that offline playlists will have to be re-downloaded in the new version. We apologise for any inconvenience this causes, but hope you understand that this is a necessary precaution to safeguard the quality of our service and protect our users.

We have taken steps to strengthen our security systems in general and help protect you and your data – and we will continue to do so. We will be taking further actions in the coming days to increase security for our users.

Source:
http://news.spotify.com/us/2014/05/27/important-notice-to-our-users/

Avast takes community forum offline after data breach

May 27, 2014 – 5:08 AM

Prague-based antivirus company Avast said Monday it took its community forum offline after a data breach, but payment information was not compromised.

Usernames and nicknames, email addresses and encrypted passwords were obtained in an attack over the weekend, wrote Avast CEO Vince Steckler on a company blog. The attack affected less than 400,000 of Avast’s 200 million users.

“We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you,” Steckler wrote.

How the forum was breached remains unknown, Steckler wrote. The leaked passwords were hashed, which means that hackers obtained cryptographic representations of passwords that have been run through an algorithm. For example, the password “Rover” run through the SHA-1 algorithm is “ac54ed2d6c6c938bb66c63c5d0282e9332eed72c.”

Steckler didn’t specify the algorithm Avast uses to hash passwords, but warned that “it could be possible for a sophisticated thief to derive many of the passwords.”

Converting those hashes into their original passwords is possible using decoding tools and powerful graphics processors. But the longer and more complicated the password — such as one with a mix of capital letters, numbers and symbols — the harder it is to crack.

Source:
http://www.pcadvisor.co.uk/news/security/3521620/avast-takes-community-forum-offline-after-data-breach/