Security

They also stole information from 56 million credit cards

The Home Depot hack was even worse than authorities originally thought, according to a new report. Along with compromising 56 million credit card accounts, the hackers also exposed 53 million customer email addresses.

Two months ago, the hackers accessed the retailer’s system through usernames and passwords they stole from a refrigeration contractor’s electronic billing account. Target and other companies have been infiltrated in a similar fashion. Authorities who investigated the Home Depot incident revealed the full scope of the hack to the Wall Street Journal Thursday.

The Home Depot hackers took aim at 7,500 of the company’s self-checkout lanes. The software hid itself for five months, collecting data and transmitting it to an outside system.

[WSJ]

Fingerprint scans are more secure, except when it comes to the Fifth Amendment

Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”

“The important thing is,” Hofmann said, “is it something you know, or something you have?”

The Virginia ruling was perhaps the most clear-cut decision among similar cases whose outcomes have varied significantly by circumstance. In United States v. Fricosu (2012), a court ruled because it was “a foregone conclusion” that the defendant’s password-locked data was incriminating, the Fifth Amendment didn’t apply. In United States v. John Doe (2011), the defendant, who had a hard drive protected by encryption, at first didn’t receive Fifth Amendment protection, but that decision was reversed by an appellate court that ruled that if Doe provided his decryption password, then it would “lead the Government to evidence that would incriminate him.” Last week’s Virginia ruling is a fresh example of what can happen when a 225-year-old law is applied to a field as rapidly changing as digital security.

“I think the courts are struggling with this, because a fingerprint in and of itself is not testimony,” said Hayes Hunt, a criminal defense and government investigations lawyer at Cozen O’Connor. “The concern is, once we put a password on something or in ourselves, we have a certain privacy interest.”

Judges across the country will only have to make more decisions about biometrics, as their use by everyday consumers is on the rise. Today, our data is protected by everything from iris scans at airports to heartbeat measurements and ear-print smartphone locks. “This whole area is in such a state of flux,” said Jody Goodman, a counsel at Crowell & Moring. “It seems like every week there are new things happening.”

Apple in particular is one of the most widely-recognized consumer technology companies that have adopted biometrics, though it wasn’t the first. Its latest flagship iPhones and iPads come with Touch ID, which lets users unlock their devices or make payments by scanning their thumbprints instead of inputting a numeric passcode. But while Apple and other companies with fingerprint scanners on their devices say the feature provides more protection from data theft, the Virginia ruling means that data protected only by an old-school passcode is afforded stronger legal protection under the Fifth Amendment.

The solution for those seeking more legal cover for their data, though, is surprisingly simple. If a defendant’s data is protected by both a thumbprint and a passcode, he or she could invoke the Fifth for the thumbprint, thereby blocking access to the data — at least according to the precedent set by the Virginia case. But for now, iPhones at least lack this option, probably because it’s not being demanded by consumers.

“I think Apple will respond to what the market demands,” said Goodman. “Most people don’t want to be bothered [by additional security]. That’s why the fingerprint technology was created in the first place.”

New malware called Wirelurker may have affected hundreds of thousands users

Hackers are targeting Apple mobile and desktop users with malicious software in order to damage or steal information, a Silicon Valley security company said Wednesday. The malware has been targeting the iPhone iOS systems for the past six months.

Palo Alto Networks, the company that has discovered the attack, nicknamed the hacking campaign “Wirelurker” and called it “the biggest in scale we have ever seen” against Apple mobile and desktop users. Wirelurker has infected over 450 apps that are sold through a third-party iPhone application store in China called the Maiyadi App Store. The infected apps have been downloaded over 356,104 times in the last six months, Palo Alto Networks said, and “may have impacted hundreds of thousands of users.”

Why it might not be the end of the world. Wirelurker originates on apps downloaded through the third-party Maiyadi app store. You have to “jailbreak” your phone in order to make it allow it access to third-party app stores. Here’s the rub: Most Apple users simply download apps from the official App Store. So if you’re just doing your thing and downloading apps through Apple, you’ve greatly reduced your exposure to Wirelurker and other malware in general.

Why it actually might be the end of the world. Wirelurker is sophisticated, and once it infects a phone, it can travel to uninfected phones through desktop computers. When someone connects an infected iPhone to a computer running OS X via a USB cord, Wirelurker installs itself on the Mac. Then it listens for a USB connection to another iOS device and immediately infects that new device. So even if you’re not using apps from third-party stores, you can still catch Wirelurker that way.

Moreover, it’s not unusual for iPhone users to jailbreak their phones to use third-party app stores. For people who want access to a greater array of apps that might be unavailable through Apple, jailbreaking is an enticing alternative — but you’d know if you have a jailbroken phone.

What Wirelurker actually does. Palo Alto Networks says the “creator’s ultimate goal is not yet clear,” but the New York Times reports that the malware can be used to steal a victim’s address book, read iMessage messages and regularly connect with attackers’ command and control server, which could potentially let them control infected iPhones from afar.

What you can do to avoid it. First, avoid using third-party app stores, download sites or other untrusted sources to download applications or games. That’s where Wirelurker originates.

Second, don’t connect your phone to an untrusted computer, like one at your school or library. If you’re connecting your iPhone to a Mac to either charge or it or share data, and that Mac has been exposed to Wirelurker, you could risk infecting your phone. Stick to known computers only — if you need to charge your phone, plug it into an outlet instead.

New report says Skype, Facebook Chat and even "off the record" Gchat aren't actually that secure

So-called “secure messaging” systems, including popular apps like Skype and Facebook Chat, don’t actually live up to their supposed safety, according to a report released Tuesday by a digital rights group.

The Electronic Frontier Foundation’s Secure Messaging Scorecard judged the security of over 30 e-mail, social media, voice and video calling apps across seven categories, including whether the provider can read your messages and whether your previous communications are secure if your passkeys are stolen.

Some of the most popular chat platforms, including Facebook Chat, Snapchat, WhatsApp, BBM, AIM and even “off the record” Google Chat, lack the encryption necessary to protect communications from the app’s makers, though they do encrypt messages during transit, the EFF’s scorecard says.

The most secure mainstream chat apps are Apple’s iMessage and FaceTime, which are encrypted so that neither outsiders nor Apple can access your conversations. Still, both lack security functions to verify your contacts’ identities, and they also don’t release their code for independent review.

Of the 38 systems evaluated in the scorecard, only six managed to fulfill all seven categories: ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text and TextSecure, all lesser-known apps purpose-built for the security-minded.

Aside from Mxit, a messaging app popular in South Africa, the other app that failed all seven of the security indicators is QQ, a hit Chinese messaging app with nearly 1 billion users.

The EFF’s full scorecard can be viewed here.

A new report supports the theory that the Chinese government is sponsoring the attacks

Digital footprints from previous cyberthreats believed to have emanated from China have been linked to recent attacks on pro-democracy websites in Hong Kong, according to a new report.

The findings of cybersecurity forensics firm FireEye suggest that there may be a “common quartermaster” behind the two attacks, further supporting a running theory that Chinese officials are breaching Hong Kong’s networks to suppress or spy on the ongoing political uprising there. Protesters in Hong Kong have been demonstrating since September, pushing for greater freedom in choosing their political representation.

FireEye analysts said they made the discovery when they matched digital certificates from a series of quiet data thefts originating in China, which FireEye reported earlier this year, to those of a conspicuous network-blocking attack that disrupted a pro-democracy Hong Kong news site in October.

Because the two types of attacks have very different agendas, the fact that they shared common certificates suggests they may be motivated by Chinese state interests, said FireEye analyst Mike Scott, one of the report’s authors.

“We understand that there has been a long series of campaigns over the past 10 to 15 years coming from China [to steal intellectual property],” said FireEye analyst Ned Moran, who co-authored the report. “We can tie that intrusion activity through technology data points to the [pro-democracy news site attack], which is attempting to suppress speech in Hong Kong. Who would benefit from both of those activities?”

Scott added that the reason his team was able to detect the digital certificates was because whoever created the malware didn’t employ high levels of security, a step attackers often skip because digital certificates function more like receipts than fingerprints, revealing only usage and not attackers’ identities.

Supporters of the pro-democracy movement, known as Occupy Central, have been the target of recent attacks that cybersecurity watchdogs believe are also the work of the Chinese government. On Sept. 17, a group of coders backing transparency in Hong Kong’s government reported that several protesters’ Android operating systems had been infected with spyware. Two weeks later, Lacoon Mobile Security found that a similar spyware was targeting protesters’ iOS systems. The firm said that because cross-platforms attacks are so rare, the perpetrator is likely “a large organization or nation-state.”

FireEye analysts said that they did not discover any direct links between the attacks on protesters’ Android and iOS devices and the attacks on pro-democracy news sites, but said that the attackers may be using several methods to achieve their goal.

"This is not a breach"

Apple Pay competitor CurrentC defended the security of its mobile payment system in a Wednesday conference call, just hours after its parent company MCX reported that hackers had obtained some users’ e-mail addresses.

MCX CEO Dekkers Davidson said the attack, which targeted the company’s email vendor, was “not a breach” of the CurrentC app itself. He also emphasized that the incident affected mostly dummy e-mails used in the yet-unreleased service’s ongoing testing phase. Davidson also revealed that some dummy zip codes were stolen and that CurrentC’s systems had withstood several repeated attacks during the past week.

Davidson added the hack hasn’t made the company hesitant to store customer information in the cloud, a plan that’s been criticized given that CurrentC’s main competitor, Apple Pay, doesn’t collect any traceable information at all.

“In terms of consumers’ information and any payment credentials, they’re not stored on a device. They’re not actually present in the physical world,” Davidson said. “And that we think is a design or implementation that makes it far more secure than the world we live in today, and far more secure than many of the alternatives that have been advanced over the last few years.”

While MCX is a joint venture by retailers in order to create a retailer-owned payment system, Davidson said that the service is “first and foremost” about customer engagement. Part of that customer engagement will include a consumer privacy dashboard so that users can elect what information, if any, they would like to share with merchants.

MCX has been under scrutiny after reports suggested that MCX members CVS and Rite Aid disabled Apple Pay because of a contractual agreement for exclusivity. However, Davidson said that the company welcomes competition, and that it is the merchants’ choice whether or not to accept other forms of mobile payment. He added that MCX member retailers are not subject to fines if they choose to adopt Apple Pay, which registered 1 million credit cards in its first three days.

Davidson added that although some MCX merchants have blocked Apple Pay, MCX is open to member retailers using both Apple Pay and CurrentC simultaneously once the latter service goes public early next year.

“We have a great deal of respect for Apple, of course, and Apple Pay,” Davidson said. “We believe and our merchants believe we require two to three strong players in the space to build the ecosystem.”

Russian hackers may have jumped the White House's digital fence

Security experts are pointing fingers at Russian hackers for a cyberattack against the White House that came to light late Tuesday, marking the latest high-profile attacks linked to that country.

The attack doesn’t appear to have caused much harm. There was no evidence that hackers had breached classified networks. White House Press Secretary Josh Earnest on Wednesday said the attacks were an “inconvenience,” but attributed ongoing network disruption to the government’s cleanup of the incident rather than the attack itself. So why should we care that unclassified networks at the White House were hacked?

First, experts say the White House attack shows just how wide a net Russian hackers appear to have cast, especially as tensions between the U.S. and Russia have heightened amid the ongoing crisis in Ukraine. The recent hack is just the latest in a slew of attacks attributed to Russian hackers who security researchers have connected to the Russian government — earlier this month, a Russian hacking group reportedly exploited a Microsoft Windows flaw to spy on NATO and the Ukrainian government. Russian hackers were also behind an attack on JPMorgan Chase that compromised customer information linked to 83 million accounts, according to a recent report. If Russian hackers are indeed behind the White House attack, we should be concerned about their possible intent to probe deeper into the White House network.

“The objective of this may have been a test to determine what the security culture is at the White House before targeting more sophisticated networks,” said Armond Caglar, a senior threat specialist at the firm TSC Advantage.

Beyond that, the White House attack shows that even some of the most well-protected institutions are vulnerable, even if the hackers didn’t get ahold of any national security secrets this time around. “On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” a White House official told the Washington Post. “This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”

Attacks on private and public sector entities—including the White House—are now par for the course. Says Adam Golodner, an attorney at Kaye Scholer who practices cybersecurity law: “This is the world in which chief information security officers now live.”

– With reporting from Zeke J. Miller

Retailers joined forces to create the digital wallet, which has received cold reviews

Nearly 70% of Americans are worried they'll be hacked. Just 18% are afraid of being murdered

Americans are more worried that their credit card information will be stolen by hackers than they are about being murdered, sexually assaulted or having their home targeted by a burglar, according to a Gallup poll released this week.

Sixty-nine percent of Americans said they frequently or occasionally worry about having credit card information they use in stores stolen by computer hackers, making hacking by far the most feared crime in the United States, according to the poll. The second-ranking crime that Americans worry about is having their computer or smartphone hacked, with 62% of Americans occasionally or frequently worried about such a breach.

By comparison, 45% of Americans are worried about their homes being burglarized, 28% about being the victim of terrorism and 18% are worried about getting murdered.

Target, Home Depot and Neiman Marcus have all reported massive hacks in the past year, affecting many millions of customers. Fully one quarter of Americans say they or someone in their household has had information from a credit card used at a store stolen by computer hackers during the last year.

Russian hackers suspected

Hackers believed to be employed by the Russian government breached White House computer networks in recent weeks, temporarily disrupting services.

Citing unnamed sources, the Washington Post reported there was no evidence that hackers had breached classified networks or that any of the systems were damaged. Intranet or VPN access was shut off for a period but the email system was never downed. The breach was discovered two to three weeks ago, after U.S. officials were alerted to it by an unnamed ally.

“On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” a White House official told the Post. “This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”

Cybersecurity firms in recent weeks have identified NATO, the Ukrainian government and U.S. defense contractors as targets of Russian hackers thought to be working for the government.

[The Washington Post]