324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Around 324,000 users have likely had their payment records stolen either from payment processor

BlueSnap

or its customer

Regpack

; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.

The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap.

The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate.

Payment Card Data Including CVV Codes Leaked

The data contains users’ details registred between 10 March 2014 to 20 May 2016 and includes names, email addresses, physical addresses, phone numbers, IP addresses, last four digits of credit card numbers, even CVV codes, and invoice data containing details of purchases.

According to Hunt, who owns ‘

Have I Been Pwned

‘ breach notification service, some evidence like file names containing ‘BlueSnap’ and ‘Plimus’ in it suggests that the data comes from BlueSnap.

Plimus is the original name of BlueSnap, which was rebranded after private equity firm Great Hill Partners acquired it for $115Million in 2011.

However, since April 2013, Regpack has been using BlueSnap’s payment platform, it could be possible that the stolen data has come from Regpack.

“We have got 899 totally separate consumers of the Regpack service…who send their data direct to Regpack who pass payment data onto BlueSnap for processing,” Hunt explained in a blog post

“Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”

Whatever the source is, but the primary concern here is that more than 320,000 stolen users financial information is floating around the web.

Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.

Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.

Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into

Have I Been Pwned

, so you can search for your address on the site to check whether you are impacted by the breach.

via http://ift.tt/2cTuPXt

PunkSPIDER – A Web Vulnerability Search Engine

PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly.

PunkSPIDER -  A Web Vulnerability Search Engine

In simple terms, that means the authors have created a security scanner and the required architecture that can execute a large number of web application vulnerability scans: all at the same time. The tool, or rather arsenal, works off an Apache Hadoop cluster and can handle tens of thousands of scans.

How Can I See if a Website I Use is Vulnerable?

Searching for a specific website is easy! If you know the URL of your site you can simply type the URL in the search box (without http or https) and find your website. Once there you will be presented with the number of vulnerabilities present on the site.

Let’s try an example together, let’s say you’re looking to check if our the New York Times website http://www.nytimes.com is vulnerable. You could type in www.nytimes.com in the search bar, and you should receive a result back that looks like the following:

www.nytimes.com

Scanned: 20140518T12:30:55.000055Z

bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall Risk:0

The first line gives you the domain of the result. The timestamp field on line 2 is the time that the site was added to our system. Below that is the interesting part, the total number of vulnerabilities found on the website. If you’re non-technical, you can ignore almost every part of that and just look at the Overall Risk field – this will tell you the risk of visiting a website.

As a rule of thumb anything with an Overall Risk of 1 should make you very wary, anything with an Overall Risk of greater than 1 you should stay away from entirely.

What Types of Vulnerabilities does PunkSPIDER Map?

Check it out here:

http://ift.tt/1EVyh7U

via http://ift.tt/2c7q5fF

Security Frameworks Based Auditing with Nessus

How many security frameworks or compliance standards does IT need? If you ask compliance professionals, the answer would be, “Oh, just one more.” If you ask any IT professional, the most likely answer would be, “Oh gosh, not one more!” And yet organizations have been inundated with compliance standards; and it’s not always clear how well they comply or how good their internal processes are when stacked up against industry-wide accepted standards.

In general, security standards all attempt to do very similar things. Namely, wrapping some sort of structure around processes and helping to define a baseline posture. Some standards take a general and all-encompassing road, while others attempt to focus on a particular technical area or business sector. Because of this, a natural and significant overlap emerges.

Security standards all attempt to do very similar things … Because of this, a natural and significant overlap emerges

For example, take asset inventory recommendations. Many standards have a section devoted to inventory management, which has been well documented by experienced professionals as a key first step in assessing risk. NIST 800-53 defines some of this in section CM-8, CSC in CSC-1, the NIST Cybersecurity Framework (CSF) uses ID.AM-1, and so on. In fact, the overlap is so common that CSF includes a whole section devoted to which standards each of its controls map to.

The overlap may seem initially like a weakness, but quickly proves to be the opposite. If you look at the overlap as redundancy-not-wastefulness the strength of this overlap comes into focus. The redundant items across standards begin to take on the tone of a common language, and from there the small differences between industries or departments become manageable edge cases and outliers.

Compliance standards and Tenable audit files

The majority of the Nessus® compliance audit files and the checks within can be traced directly back to a benchmark or other source document such as a DISA STIG (Defense Information Systems Agency, Security Technical Implementation Guide) or CIS (Center for Internet Security) guide. These source documents lay out the items that should be tested and the specific values that have been deemed acceptable. These source documents didn’t just appear out of nowhere; in most cases, they grew from an attempt to turn the general structures in one (or more) of the security standards into actionable items.

For example, here’s a check from the CIS Windows 7 Configuration Benchmark:

1.1.1 Enforce password history

which in turn maps directly to NIST 800-53 control IA-5, PCI-DSS item 8.2.5 and CSF section PR.AC-1 and many others as you can see in the example below. There are countless such examples throughout the audit files.

<custom_item>
  type    	: PASSWORD_POLICY
  description : "1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'"
    see_also : "http://ift.tt/2cHmEwR;
  reference : "800-53|IA-5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.5,800-171|3.5.10,800-171|3.5.7,800-171|3.5.8,800-171|3.5.9,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3"
  value_type  : POLICY_DWORD
  value_data  : [24..MAX]
  password_policy : ENFORCE_PASSWORD_HISTORY
</custom_item>

Cross-references in Nessus audit files

Over the last few months, Tenable has invested time in adding extensive compliance cross-references across all the audit files, in both Nessus and SecurityCenter™. So for example, if you run a CIS Benchmark Compliance scan as part of your normal process, you will also be collecting information in relation to NIST 800-53, CIS CSC and ISO 27001 at the same time. All of these results are immediately available, attached to each check result when your scan has completed, and then you can run more specific SecurityCenter dashboards for the relevant standards.

Standards cross-referenced in Nessus audits

Currently, Tenable has also added cross-references to Nessus audits for many different standards, ranging from general ones like NIST 800-53 and ISO 27001 to industry-specific standards like NERC CIP. Keep in mind though, that not every audit item maps to every other standard. Only those items that are specifically related to a given control within a standard have been assigned a cross-reference.

Here’s a short list of standards for which cross-references have been added:

Benefits to end users

Even if your specific environment is only concerned with one or two security standards, having the ability to communicate outward to partners or outside organizations will often pay dividends. The cross-reference enables you to communicate internally in terms that different audiences find useful. The cross-reference gives you the ability to speak in terms of PCI to compliance teams, NIST 800-53 to technical and security groups, and ISO 27001 to policy makers and executives. 

Here’s a sample SecurityCenter NIST 800-53 Dashboard using the 800-53 cross-references:

NIST 800-53 Dashboard

Wrap-up

While working with standards isn’t likely to replace a good movie or book as your first choice for a lazy weekend, if we take a step back and forget all the times that standards have been misused as an insurmountable roadblock, you might see something interesting that can improve your security posture.

via http://ift.tt/2cEj4Cb

Massive Data Breach Exposes 6.6 Million Plaintext Passwords from Ad Company

Another Day, Another Data Breach! And this time, it’s worse than any recent data breaches.

Why?

Because the data breach has exposed plaintext passwords, usernames, email addresses, and a large trove of other personal information of more than 6.6 Million ClixSense users.

ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of “

Mega-Breaches

” revealed in recent months, including

LinkedIn

,

MySpace

,

VK.com

,

Tumblr

, and

Dropbox

.

Hackers are Selling Plaintext Passwords and Complete Website Source Code

More than 2.2 Million people have already had their personal and sensitive data posted to PasteBin over the weekend. The hackers who dumped the data has put another 4.4 Million accounts up for sale.

In addition to un-hashed passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories, and other banking details of Millions of users.

Troy Hunt, operator of

Have I Been Pwned

? breach notification service, verified the authenticity of the data taken from ClixSense.

Besides giving away 4.4 Million accounts to the highest bidder, the hackers are also offering social security numbers of compromised users, along with the complete source code of the ClixSense website and “70,000 emails” from the company’s internal email server, according to a Pastebin message advertising the stolen database.

PasteBin has since removed the post as well as the sample of the compromised database that contained user account information.

Here’s How Hackers Hacked ClixSence:

ClixSense

admitted

the data breach and said some unknown hackers were able to get access to its main database through an old server which the firm was no longer using, but at the time, still networked to its main database server.

After gaining access, the hacker was able “to copy most, if not all” of the ClixSense users table, ran SQL code to change account names to “hacked account,” deleted several forum posts, as well as set account balances of users to $0.00.

While talking to

Ars Technica

, ClixSense owner Jim Grago admitted that the database contained entries for roughly 6.6 Million accounts and that the company became aware of the breach on September 4 and managed to regain control of their DNS over the weekend.

“This all started last Sunday, September 4th about 5 am EST when my lead developer called me and said ClixSense was redirecting to a gay porn site. The hackers were able to take over our DNS and setup the redirection,” Grago wrote.
“On Monday (Labor day) they were able to hack into our hosting provider and turned off all of our servers, hacked into our Microsoft Exchange server and changed the passwords on all of our email accounts. On Tuesday they were able to gain access to a server that was directly connected to our database server and get a copy of our users table.”

Change Your Passwords and Security Questions Now

Users are strongly advised to change their passwords for ClixSence account immediately, and it would also be a good idea to reset passwords for all of your other online services, especially those using the same passwords.

Since ClixSense uses a large trove of personal information on its users, make sure you change your security questions, if it uses any of the information you provided to ClixSense, such as your address, date of birth, or other identifying information.

Moreover, I recommend you to use a

good password manager

to create strong and complex passwords for your different online accounts, and it will remember all of them on your behalf.

I have listed some of the

best password managers

that could help you understand the importance of password manager and choose one according to your requirement.

via http://ift.tt/2cNjnbk

PCI Council wants more robust security controls for payment devices

The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

payment devices

Specifically, version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emphasizes more robust security controls for payment devices to prevent physical tampering and the insertion of malware that can compromise card data during payment transactions.

The updates are designed to stay one step ahead of criminals who continue to develop new ways to steal credit and debit card data from cash machines, in-store and unattended terminals and mobile devices used for payment transactions. Payment devices that directly consume magnetic stripe information from customers remain a top target for data theft, according to the 2016 Data Breach Investigation Report from Verizon.

“Criminals constantly attempt to break security controls to find ways to exploit data. We continue to see innovative skimming devices and new attack methods that put cardholder data at risk for fraud,” said PCI Security Standards Council CTO Troy Leach. “Security must continue to evolve to defend against these threats. The newest PCI standard for payment devices recognizes this challenge by requiring protections against advancements in attack techniques.”

A summary of PCI PTS POI Modular Security Requirements version 5.0 updates are available here.

Vendors can begin using PCI PTS POI Modular Security Requirements version 5.0 now for payment device evaluations. Version 4.1 will retire in September 2017 for evaluations of new payment devices.

“With EMV chip the industry is improving protections against skimming and other attacks to reduce fraud,” added PCI Security Standards Council General Manager Stephen Orfei. “But no technology is bulletproof. In this ongoing battle against criminal attacks, we must continue to adapt the way we secure payments. With the latest PCI device standard, PCI is driving the evolution of global industry data security standards that protect payment transactions now and in the future.”

via http://ift.tt/2cStf71

New MySQL Zero Days — Hacking Website Databases

Two critical zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.

Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB.

Golunski further went on to publish details and a

proof-of-concept exploit

code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.

Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not.

The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones.

Exploitation Vector?

The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).

“A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” Golunski explained in an advisory published today.

This could result in complete compromise of the server running the affected MySQL version.

The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.

The flaw actually resides in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.

The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user, Golunski examined.

“If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)”

The researcher will soon release details and full exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to make exploitation trivial.

Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.

While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.

Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.

via http://ift.tt/2clFaHA

ING Bank’s main data center was shut down by a loud noise

Members of ING Bank found themselves unable to use their debit cards this weekend due to a completely unexpected technical failure: it was just too dang loud. More specifically, a loud noise caused by a fire extinguisher test knocked out a few dozen hard-drives at the bank’s main data center in Bucharest Romania. It’s an uncommon, but not unknown phenomenon — sound causes vibration, and hard-drives hate being jostled.

The bank was testing an electronics-safe fire suppression system in the main data center, but a pressure discrepancy caused the system to emit a loud noise while expelling inert gas. According to the bank, the sound was measured a over 130dB — apparently loud enough to knock the HDD’s physical components out of alignment.

That makes sense, but why hasn’t something like this happened before? In a paper about hard-drive fragility and fire suppression systems, IBM researchers blame the march of progress: "Early disc storage had much greater spacing between data tracks because it held less data," The paper reads. "Which is a likely reason why this issue was not apparent until recently." Modern hard drives are less tolerant, and will fail if its read/write arm nudges 1/1,000,000 of an inch off of its data track. Good to know for folks building data centers with potentially loud fire suppression systems — but maybe this is just yet another sign that solid state storage is the future.

Source: Motherboard, Data Center Journal

via http://ift.tt/2cmRpVf

Data Entry Blunders Force Air Asia Pilots To Land in Melbourne Instead of Malaysia

A flight from Sydney to Malaysia ended up in Melbourne after the captain incorrectly entered the plane’s location in its navigation system just before take-off, according to a safety investigation, whose conclusion was published this week. Mashable reports:The Air Asia pilots made several errors in entering data into the aircraft’s navigation system, which caused them to follow an incorrect flight path out of Sydney, according to Australian transportation officials. While troubleshooting the incorrect flight path, the pilots were unable to fix the issue, and may have compounded it. The aircraft’s systems would not allow the plane to be flown in instrument conditions and the weather also had deteriorated in Sydney by the time the pilots decided to turn back. They were directed via radar to a visual approach in Melbourne where they could land safely. The pilots did not believe the airport was located in Malaysia.



Share on Google+

Read more of this story at Slashdot.

via http://ift.tt/2cdjH24