TweakTown NewsRefine News by Category:
Office retailer Staples was the latest high-profile company hit by a data breach, with customers in the Northeastern United States affected. The US Secret Service is now investigating the incident, which involved debit and credit card data of an unknown number of customers. It appears retail locations in Pennsylvania, New Jersey and New York were hit, but it's possible stores in other states were also targeted.
"We take the protection of customers information very seriously, and are working to resolve the situation," Staples said in a statement. "If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."
Retailers are struggling to keep data secure, as similar attacks have victimized Target, Home Depot, Kmart, Sears, with millions of customers across the country affected by these breaches.
The Securities Industry and Financial Markets Association (SIFMA), the top Wall Street trade group, wants increased inter-agency efforts to create cybersecurity guidelines for the financial industry. Instead of a "one size fits all" approach to cyberattacks, regulators would be able to ensure cybersecurity rules force companies to conduct "risk-based" and "value-added" audits.
"You could have a patchwork... for a big global bank, of five or six regulators all looking at this from a slightly different perspective, with slightly different guidance or principles of what they think is effective," said Karl Schimmeck, SIFMA managing director of financial services operations, in a statement to Reuters.
Banks and financial companies already use stronger cybersecurity than other private sector companies, but JPMorgan Chase's recent breach indicated they clearly aren't immune from high-profile cyberattacks. The U.S. federal government is battling how to force companies to disclose breaches, along with helping them defend against future attacks.
Well, that didn't take long: China is denying any responsibility in reported Apple iCloud attacks aimed at compromising Chinese users. The "man in the middle" (MITM) attack mimicked other similar cyberattacks the Chinese government has used in the past, and could have been carried out by state-sponsored groups.
Chinese government officials said Beijing is "resolutely opposed" to the cyberattacks, with China Telecom - a state-owned Internet service provider - saying the iCloud attack was "untrue and unfounded."
Meanwhile, Apple denies that its iCloud servers were breached by the Chinese government - or anyone else - with the attacks expected to continue. The iPhone 6 and iPhone 6 Plus were recently launched in China, which is why the cyberattacks took place so quickly.
Chinese iCloud users are under attack, likely by Chinese government state-sponsored hackers, in an effort to compromise Apple iPhone 6 and iPhone 6 Plus users. Users are hijacked by data that is routed through a malicious third party, utilizing a self-signed certificate that makes victims believe they are accessing iCloud through the SSL-protected service.
It wouldn't be surprising to hear the Chinese government wants to compromise users - especially with security researchers noting potential gaps in iCloud security - as the "great firewall" of China undergoing change. Despite the Chinese government trying to clamp down on what Internet users have access to, there are a number of ways to bypass security.
"This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud, such as iMessages, photos, and contacts," according to the Great Fire Chinese Internet freedom group. "If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities."
Cybercriminals targeting free and open source software continue to rattle developers and consumers, with high-profile attacks hitting security flaws that should have been resolved. Specifically, the Heartbleed and Shellshock exploits have led to an increased demand from private companies and the U.S. government to step up programming assistance, but that hasn't been well received among many open source developers. However, it has provided a much-needed wakeup call that open source software should be monitored more closely to prevent such high-profile breaches.
"It's going to be a wake-up call for a lot of people to understand why we aren't auditing this software better," said Greg Martin, Threat Stream Inc founder and chief technology officer. "Everybody's been scratching their heads and saying, 'How could we miss this?'"
Hackers are increasingly organized - and well-funded - and that has made it difficult to defend against attacks, especially open source software. In theory, open source software provides a much larger pool of developers to help fix flaws, but others say proprietary software is more secure since the code is closed off from the public.
Even with FBI Director James Comey speaking out against Google and Apple providing encryption security on smartphone devices, Apple shipped its Yosemite OS with FileVault by default. The FBI - and other government agencies - are worried that encryption will prevent law enforcement from cracking down on criminals... or so they say.
"With Apple's new operating system, the information stored on many iPhones and other Apple devices will be encrypted by default," Comey recently said. "Shortly after Apple's announcement, Google announced plans to follow suit with its Android operating system. This means the companies themselves won't be able to unlock phones, laptops, and tablets to reveal photos, documents, email, and recordings stored within."
It's impressive to see Google, Apple and other tech companies trying to put customers first - as many users become more concerned about security - and not listening to the FBI's rather questionable concerns.
Russian hackers have generated an estimated $2.5 billion over the past year, as state-sponsored groups are able to breach companies in the United States and Western Europe. The Target breach, impacting millions of customers, helped them generate a tremendous amount of revenue, according to the Group-IB report.
Stealing and selling credit card information - among other personal information - helped the groups generate $680 million, with financial fraud also raking in $426 million. In addition to the Target breach, The Home Depot was recently compromised, with Russian-based hackers likely involved.
Both Russia and China have been named major threats to the United States, launching organized cyberattacks with a focus on corporate espionage and compromising users. Unfortunately, hackers are better organized and able to compromise point-of-sale (POS) terminals in retail stores, hack ATM machines, and steal consumer personal information at a rapid pace.
A growing number of U.S. retailers are being victimized by data breaches, leading to millions of consumers at risk of identity theft and fraud - and now President Obama has stepped in, signing an executive order to enforce increased payment security measures. The federal government will now use chip-and-PIN technology for all government credit cards, providing an additional layer of security for all agencies that handle monetary payments.
"We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things," said Matthew Shay, National Retail Foundation (NRF) CEO, in a statement. "From insisting our PIN and chip cards to facilitating greater information sharing among retailers and other sectors, we are committed to finding the right answers with the latest technologies to stop these cyber thieves."
Moving forward, the President also wants additional transparency when companies suffer a data breach and consumers are impacted. Meanwhile, WalMart, Home Depot, Target, Walgreens, and other retailers plan to use chip-and-PIN point-of-sale (POS) terminals in their retail stores, starting in early 2015.
Credit card company MasterCard is rolling out a new contactless payment card in 2015 that uses a fingerprint sensor. The company partnered with Zwipe, which wants to replace a debit card PIN number or credit card signature, with a fingerprint. Consumers just wave the card near an NFC reader at the checkout, with biometric authentication reportedly safer than a chip and PIN system.
The card will roll out to the UK market in 2015, after a trial run conducted in Norway. The card doesn't require a battery and will harvest power from the contactless till at the payment terminal each time it's used. Fingerprint data is stored directly on the card, so MasterCard and retailers won't have an external database that could be breached.
"Our belief is that we should be able to identify ourselves without having to use passwords or pin numbers," said Ajay Bhalla, MasterCard president of enterprise security solutions. "Biometric authentication can help us achieve this."
U.S. FBI Director James Comey isn't a big fan of the encryption technologies used by Google Android and Apple iOS devices, saying they could interfere with police investigations. The FBI were able to use court orders to gain access to devices, but there is a growing number of law enforcement unable to crack into phones, tablets and laptops.
"If this becomes the norm, I suggest to you that homicide cases could be stalled, suspects walked free, child exploitation not discovered and prosecuted," Comey said.
Comey's comments are ill-timed, as American smartphone owners aren't impressed by government surveillance and snooping - revelations made public by former NSA contractor Edward Snowden last year.