HipChat's Security Win

<INSERT SCARY HACKER PICTURE WITH SALACIOUS HEADLINE>

I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library.  The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.

This post first appeared on Exploring Information Security.

Infosec links January 6, 2015

Chip & PIN vs. Chip & Signature - Brian Krebs - Krebs on Security

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

Banks' Lawsuits Against Target for Losses Related to Hacking Can Continue - Nicole Perlroth - The New York Times

The ruling is one of the first court decisions to clarify the legal confusion between retailers and banks in data breaches. In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.

Banks: Card Breach at Some Chick-fil-A's - Brian Krebs - Krebs on Security

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

 This post first appeared on Exploring Information Security.

InfoSec links October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

This post first appeared on Exploring Information Security.

InfoSec links October 14, 2014

Signature Systems Breach Expands - Brian Krebs - Krebs on Security

Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

Dairy Queen Confirms Breach at 395 Stores - Brian Krebs - Krebs on Security

In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

Snapchat Can't Stop the Parasite Apps That Screw Its Users - Andy Greenberg - WIRED

In a statement, Snapchat puts the blame on third party applications like Snapsaved.com that use its API to allow Snapchatters to save its disappearing messages on their devices, or worse yet, on a remote server. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokesperson writes in a statement. “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

This post first appeared on Exploring Information Security.

InfoSec links October 7, 2014

Fileless Infections from Exploit Kit: An Overview - Jéróme Segura - Malwarebytes Unpacked

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.

How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks - Kim Zetter - Wired

Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news.

The Unpatchable Malware That Infects USBs Is Now on the Loose - Andy Greenberg - WIRED

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

This post first appeared on Exploring Information Security.

Late night links September 10, 2014

The last week I've been stressing out over a Spanish project that was due this evening. As such, I was unable to get something up for this morning. I have since submitted my project for grading and I am now free to post some content on this website.

A couple things.

Home Depot confirms breach but stays mum as to size - Robert Lemos - ars technica

Monday Home Depot confirmed what we all suspected, they had their point-of-sale (PoS) terminals compromised. If you have shopped at a Home Depot in either the U.S. or Canada at some point in the last five months, all the way back to April, then your credit card was likely stolen by online criminals. Call your bank and have a new card issued.

Unfortunately, this is one of those situations where you did nothing wrong (other than shop at Home Depot, BAZINGA!) and you got your financial information compromised. However, there are some thing you can do to help protect your financial well-being, which I wrote about yesterday.

We're in the battle for the net - battleforthenet.com

The internet service providers (ISPs) such as Comcast, Verizon, Time Warner Cable and AT&T are trying to have the FCC restructure regulations so that they can provide two lanes with differing speeds for sites on the internet. 

From Wikipedia:

Net neutrality (also network neutrality or Internet neutrality) is the principle that Internet service providers and governments should treat all data on the Internet equally, not discriminating or charging differentially by user, content, site, platform, application, type of attached equipment, and modes of communication.

If ISPs are allowed to regulate the internet, then we essentially lose our freedom on the internet. If you want to get a better understanding of the situation, here is John Oliver's take on the whole issue. It's 15 minutes long, but worth it.

This post first appeared on Exploring Information Security.

Brian Krebs links June 30, 2014

P.F. Chang's Breach Likely Began in Sept. 2013 - Brian Krebs - Krebs on Security

These types of breaches are why I use a credit card everywhere I shop. If a breach occurs at a retailer I'd much rather they have access to a credit card, indirect money, than my debit card, which goes directly to my bank account. I have never eaten at P.F. Chang's, so I have nothing to worry about in this instant, but I did shop at Target in December and I'm sure to shop at another place that gets breached. What's disconcerting about this is that we're just now hearing about it when the initial breach occurred nine months. Another good reason to check your transactions on a regular basis.

Oil Co. Wins $350,000 Cyberheist Settlement - Brian Krebs - Krebs on Security

Both the oil company and the bank are pointing fingers at each other for a breach that occurred on the oil company's bank account. Allegedly, an oil company employee feel for a phishing account who just happened to have access to the company's financial account with said bank. The oil company argued that there weren't more security measures in place, while the bank argued that the oil company got malware installed on it's machine. This would have been an interesting one to see in trial, but alas the bank's insurance company cut a check for the money lost.

Car Wash: Card Breaches at Car Washes - Brian Krebs - Krebs on Security

Is no place sacred?

It's really not all that surprising. Compromised and unsecure point-of-sale systems, default admin passwords, etc. The most interesting thing about this story is that street gangs are taking advantage of these breaches as buyers of the stolen credit cards. And the fact that one of the detectives quoted in this article said this:

“Honestly, the fact that we still have bank robberies is sort of perplexing,” he said. “Rob a bank and you’re lucky if you get away with $600. But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims. And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.”

 This post first appeared on Exploring Information Security.

InfoSec Links April 5, 2014

Fandango, Credit Karma settle with FTC over app security flaws - by Kate Tummarello - The Hill

If you build an insecure app the FTC is going to come after you. Hopefully, this will make developers start taking security into consideration when build apps. Especially, when it deals with some form of currency.

Web TV service Boxee.tv Hacked, Details of 158,000 Forum Users Leaked - By Eduard Kovacs - Softpedia

If you have a Boxee.tv account you might want to go change your password. And this is just another example of why you want to have different passwords for different accounts. If you need help with managing your password might I suggest Password Safe (look for a post in the future).

Big Brother Goes Dutch - by Lee Munson - Security Watch

The Dutch have voted fore more surveillance. /facepalm

 This post first appeared on Exploring Information Security.