Security

Potentially the latest in a string of high-profile data thefts

The world’s biggest office-supply retailer is investigating reports of a possible data breach of Staples customers’ credit cards after banks detected a pattern of unusual charges concentrating on a group of shoppers.

Staples acknowledged on Tuesday that it had launched an investigation and requested assistance from law enforcement officials, Bloomberg reports.

Reports of fraudulent charges recently surfaced on an independent security blog, which noted that the bulk of the card data appeared to come from a group of stores clustered in the northeast, including seven in Pennsylvania, three in New York and one in New Jersey.

The security concerns come amid a wave of breaches in the past two years against retailers like Home Depot, Kmart and Target. The latter said in August that its breach was expected to cost some $148 million.

[Bloomberg]

Third security flaw discovered this year, but researchers say it's not as powerful as Heartbleed

The contraption fastens to a dial commonly used to lock ATMs and guesses the combination through trial and error

A pair of Australian-based security experts have developed a $150 safe-cracking device, making a technology normally reserved for defense department budgets accessible to anyone who can afford a smartphone.

The contraption, which was fashioned out of repurposed electronics and 3D-printed components, fastens onto a safe and spins the dial through a series of combinations, gradually cracking the code through trial and error, the Register reports.

Its inventors, Jay Davis and Luke Janke, say it typically takes four days to pop a standard 2-combination lock which is commonly used to secure ATMs, but they suspect that time could be shaved down to a matter of minutes by simply spinning a few of the default codes set by the lock’s manufacturer. Turns out a startling number of customers don’t bother to reset the code to something more personal and secure.

Another tweak would give the device some longer term memory to track untested combinations, “so if you get busted you can run away and come back and try later on,” Davis told the Register, “not that we condone that.”

[Register]

Microsoft has fixed a series of software bugs, at least one of which was exploited by Russian hackers, according to a new report

Microsoft on Tuesday issued bug patches Tuesday fixing 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net Framework, some of which fixed security holes exploited in attacks against Western targets linked to Russian hackers. The company’s patches fix more than a dozen vulnerabilities that allow remotely located hackers to take control of a target computer, according to a note from Microsoft.

The issues were first revealed by Dallas-based security firm ISight, which said Tuesday that Russia-tied hackers had been using a previously unknown bug in Microsoft Windows Vista through Windows 8.1 to attack NATO, the European Union and targets in Ukraine since September. ISight partnered with Microsoft to report the bug.

The hacks against Western targets are part of a growing wave of cyberattacks linked to Russia amid that country’s ongoing conflict with Ukraine. However, it’s unclear exactly what data hackers took as part of the attack.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” ISight said Tuesday.

"Your stuff is safe," Dropbox tells users after hacking scare

Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”

Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”

Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.

Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.

Company says third-party applications were responsible for the breach of as many as 200,000 user accounts

Images from tens of thousands of Snapchat user accounts, many explicit, were leaked onto the internet late Thursday — but the messaging app said the hack wasn’t its fault.

Snapchat said that third-party applications were responsible for the breach of as many as 200,000 user accounts, and that their own servers were never compromised.

A 13GB database of Snapchat photographs taken over a number of years was leaked to online messageboards Thursday. It reportedly includes a large amount of child pornography, from teenage users.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” a statement read. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The news comes just weeks after the release of nude photos of more than 100 celebrities in a massive hack of photos stored in Apple’s iCloud.

Hackers gained access to 600,000 cards

Dairy Queen announced on Thursday that its customer data had been compromised by malware.

The ice cream chain said the breach affected 395 of its over 4,500 locations in the United States. The hacked information contained the names and credit card information of past customers. Fewer than 600,000 cards were affected. Dairy Queen has provided a list of targeted locations.

The company will offer free identity repair services for one year to affected customers and franchise owners, including at Orange Julius locations, John Gainor, president and CEO of International Dairy Queen, said in a statement. “Our customers continue to be our top priority.”

The Backoff malware used to hack Dairy Queen has been used to attack more than 1,000 businesses, the Secret Service reports. Large retailers such as Target and Home Depot have been targeted for larger hacks. Last week, JP Morgan Chase announced a data breach in its system that affected over 76 million households and 7 million small businesses.

Officials say hackers with ties to the Russian government were involved in the JPMorgan attack

Take these steps to protect yourself

JPMorgan Chase said late Thursday that a cyberattack against the bank exposed personal data from 76 million households. Sounds pretty bad for the bank’s customers, right? Well, it is — and it’s awful for the company — but it could’ve been a lot worse.

According to JPMorgan, the hackers responsible for the heist made off with only customers’ names, addresses, phone numbers and email addresses. That’s a lot of personal data — but it isn’t on the same “uh-oh” level as credit card numbers, bank account numbers or passwords, as it’s all pretty easily found online anyway, no hacking required.

However, there’s still a threat here — albeit one that existed beforehand, too. The information the hacker(s) managed to grab can be used to get that other highly sensitive data and, potentially, access to your accounts. How? It’s a process called “social engineering,” which I promise has a lot less to do with Nazis than it sounds. Through social engineering, hackers use easy-to-get data about you, like a name, a phone number and maybe the name of the obedience school your maternal great-grandmother took her second dog, to work their way through your bank or other account’s security verification questions posing as you. If they do a good enough job, the security folks think that yeah, that’s you, and they can get access to your accounts. Scary stuff!

But if you’re worried about the JPMorgan Chase hack and how it might affect you, here are some practical tips:

1. Change your passwords. You should be doing this regularly even without massive hacks happening.

2. Closely monitor your bank and credit card statements and credit score. Immediately report any irregularities to your bank or other relevant company.

3. You can try locking down your credit score, but this can be expensive and it has drawbacks.

4. Here’s a favorite tip of mine: Memorize and use fake answers to those terrible security authentication questions. Anybody can figure out your mother’s maiden name with some simple Google searching, but it’s much harder to figure out the name you told your bank was actually “Jingleheimer-Smith-Hamburger” rather than “Johnson.”

5. Don’t click any suspicious links in any suspicious emails. Always good advice.

6. Finally, wherever available, turn on Two-Step Authentication. This turns your mobile phone into a sort of secondary password that you carry with you at all times, far away from any nefarious hackers.

A cyberbreach at the biggest U.S. bank also compromised data from 7 million small businesses

JPMorgan Chase revealed Thursday that a cybersecurity breach disclosed over a month ago affected 76 million households and 7 million small businesses.

The country’s largest bank by assets said in a regulatory filing that the cyberbreach exposed customer names, addresses, phone numbers and e-mail addresses, but that there was no indication that data that could be used to break into customers’ finances had been accessed.

“There is no evidence that account information for such affected customers — account numbers, passwords, user IDs, dates of birth or Social Security numbers — was compromised during this attack,” JPMorgan Chase said.

JPMorgan also said that it has not seen any unusual customer fraud related to the data breach.

The breach at JPMorgan, which was first disclosed in late August, affects more individuals than both the Target attack last year and the recent Home Depot breach, in which data from 40 million and 56 million credit cards were compromised, respectively.