Sandwich Chain Jimmy John’s Investigating Breach Claims

July 31, 2014 – 8:03 PM

Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.

Multiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.

Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”

The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.

Source:
http://krebsonsecurity.com/2014/07/sandwich-chain-jimmy-johns-investigating-breach-claims/

Massive, undetectable security flaw found in USB: It’s time to get your PS/2 keyboard out of the cupboard

July 31, 2014 – 4:57 PM

Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn’t plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we’ll outline below, this won’t always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it’s your PC, smartphone, external hard drive, or an audio breakout box, there’s a USB controller chip in every device that controls the USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.

Source:
http://www.extremetech.com/computing/187279-undetectable-indefensible-security-flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard

AV engines are riddled with exploitable bugs

July 29, 2014 – 5:40 AM

A security researcher has found a great number of exploitable vulnerabilities in popular security solutions and the AV engines they use, proving not only that AV engines are as vulnerable to zero day attacks as the applications they try to protect, but can also lower the operating system’s exploit mitigations.

“Installing an application in your computer makes you a bit more vulnerable,” says Joxean Koret, a researcher with Singapore-based Coseinc, and that is equally true for AV solutions.

Wielding a custom developed fuzzing testing suite against all the AV engines he could find, he unearthed dozens of remotely exploitable vulnerabilities. He tested the engines used by BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG.

Almost all engines written in C and/or C++, which opens the door for attackers to discover and leverage buffer and integer overflow bugs. Also, most of them install OS drivers, which could allow attacker to perform escalation of privilege.

“Most (if not all…) antivirus engines run with the highest privileges: root or local system,” he noted. “If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges.”

Finally, most AVs get updates via HTTP only protocols, which could lead to man-in-the-middle attacks that deliver malware instead of updates.

Source:
http://www.net-security.org/malware_news.php?id=2823

Apple “inadvertently admitted” to iOS backdoor: forensics expert

July 23, 2014 – 5:36 AM

Apple has “inadvertently admitted” to creating a “backdoor” in iOS, according to a new post by a forensics scientist, iOS author and former hacker, who this week created a stir when he posted a presentation laying out his case.

Apple has created “several services and mechanisms” that let Apple — and, potentially, government agencies or malicious third parties — extract lots of personal data from iOS devices, says Jonathan Zdziarski. There is, he says, no way to shut off this data leakage and there is no explicit consent granted by endusers.

He made his case in a talk, “Identifying back doors, attack points, and surveillance mechanisms in iOS devices,” [available in PDF] at the annual HOPE X hackers conference last week in New York City. The talk was based on a paper published in the March issue of “Digital Investigation,” which can be ordered online.

Essentially, Zdziarski says that Apple over time has deliberately added several “undocumented high-value forensic services” in iOS, along with “suspicious design omissions…that make collection easier.” The result is these services can copy a wide range of a user’s personal data, and bypass Apple’s backup encryption. That gives Apple, and potentially government agencies, such as the National Security Agency, or just bad people intent on exploiting these service, the ability to extract personal data without the user knowing this is happening.

Source:
http://www.pcadvisor.co.uk/news/security/3532138/apple-inadvertently-admitted-to-ios-backdoor-forensics-expert/?olo=rss

EFF releases Firefox, Chrome plugin to stop online tracking

July 22, 2014 – 7:04 PM

The Electronic Frontier Foundation (EFF) has released a beta version of Privacy Badger, a browser extension for Firefox and Chrome that detects and blocks online advertising and other embedded content that tracks you without your permission.

Privacy Badger was launched in an alpha version less than three months ago, and already more than 150,000 users have installed the extension. Monday’s beta release includes a feature that automatically limits the tracking function of social media widgets, like the Facebook “Like” button, replacing them with a stand-in version that allows you to “like” something but prevents the social media tool from tracking your reading habits.

“Widgets that say ‘Like this page on Facebook’ or ‘Tweet this’ often allow those companies to see what webpages you are visiting, even if you never click the widget’s button,” said EFF Technology Projects Director Peter Eckersley. “The Privacy Badger alpha would detect that, and block those widgets outright. But now Privacy Badger’s beta version has gotten smarter: it can block the tracking while still giving you the option to see and click on those buttons if you so choose.”

EFF created Privacy Badger to fight intrusive and objectionable practices in the online advertising industry. Merely visiting a website with certain kinds of embedded images, scripts, or advertising can open the door to a third-party tracker, which can then collect a record of the page you are visiting and merge that with a database of what you did beforehand and afterward. If Privacy Badger spots a tracker following you without your permission, it will either block all content from that tracker or screen out the tracking cookies.

Source:
http://www.net-security.org/secworld.php?id=17152