JPMorgan Chase admits network hack; 465,000 card users' data stolen

The banking giant suffered a network breach this year that resulted in a large data breach — though, funds or critical personal information are not thought to have been stolen.

JPMorgan Chase has warned some 465,000 prepaid cash card customers that their personal information may be at risk after unknown hackers attacked its network earlier this year.

First reported by Reuters, nearly half-a-million cards were issued for companies and businesses to pay employees and for the federal government to issue tax refunds and other welfare benefits. 

The banking giant said on Wednesday its online UCard portal had suffered a breach in mid-September, which allowed an unknown number of hackers to access vast amounts of customer prepaid cash card data.

The issue was subsequently fixed and the breach reported to the FBI and Secret Service. No funds are thought to have been stolen.

It's not yet clear how hackers were able to breach the bank's network, or what information was specifically taken. But the concern is that though card data is encrypted, personal data may have been stored in plain text files.

Social security data and birth dates are not understood to have been taken, but a "small amount" of other data may have been. The bank did not elaborate.

In a statement published by the Louisiana Commissioner of Administration Kristy Nichols, as one of the states requiring banks to notify customers of a data loss or breach: "The data exposure affects only cardholders who registered their cards on the JPMorgan UCard Center website and, between July and September 2013, performed certain actions online.

She added the government will "hold JP Morgan Chase responsible" to ensure state citizen data is protected.

The total number of those affected account for about 2 percent of its roughly 25 million UCard users.

Read More

NSA tracking cellphone locations worldwide, Snowden documents show

The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.

The records feed a vast database that stores information about the locations of at least hundreds of millions of devices, according to the officials and the documents, which were provided by former NSA contractor Edward Snowden. New projects created to analyze that data have provided the intelligence community with what amounts to a mass surveillance tool.
The NSA does not target Americans’ location data by design, but the agency acquires a substantial amount of information on the whereabouts of domestic cellphones “incidentally,” a legal term that connotes a foreseeable but not deliberate result.

One senior collection manager, speaking on the condition of anonymity but with permission from the NSA, said “we are getting vast volumes” of location data from around the world by tapping into the cables that connect mobile networks globally and that serve U.S. cellphones as well as foreign ones. Additionally, data are often collected from the tens of millions of Americans who travel abroad with their cellphones every year.

In scale, scope and potential impact on privacy, the efforts to collect and analyze location data may be unsurpassed among the NSA surveillance programs that have been disclosed since June. Analysts can find cellphones anywhere in the world, retrace their movements and expose hidden relationships among the people using them.

(Graphic: How the NSA is tracking people right now)

U.S. officials said the programs that collect and analyze location data are lawful and intended strictly to develop intelligence about foreign targets.

Robert Litt, general counsel for the Office of the Director of National Intelligence, which oversees the NSA, said “there is no element of the intelligence community that under any authority is intentionally collecting bulk cellphone location information about cellphones in the United States.”

The NSA has no reason to suspect that the movements of the overwhelming majority of cellphone users would be relevant to national security. Rather, it collects locations in bulk because its most powerful analytic tools — known collectively as CO-TRAVELER — allow it to look for unknown associates of known intelligence targets by tracking people whose movements intersect.

Still, location data, especially when aggregated over time, are widely regarded among privacy advocates as uniquely sensitive. Sophisticated mathematical tech­niques enable NSA analysts to map cellphone owners’ relationships by correlating their patterns of movement over time with thousands or millions of other phone users who cross their paths. Cellphones broadcast their locations even when they are not being used to place a call or send a text message.

Read More

Mass hack affects almost 2 million Internet accounts

Hackers stole almost 1.6 million login credentials and 320,000 e-mail credentials.

Almost 2 million accounts on Facebook, Google, Twitter, Yahoo and other social media and Internet sites have been breached, according to a Chicago-based cybersecurity firm.

The hackers stole 1.58 million website login credentials and 320,000 e-mail account credentials, among other items, the firm Trustwave reported. Included in the breaches were thefts of 318,121 passwords from Facebook, 59,549 from Yahoo, 54,437 from Google, 21,708 from Twitter and 8,490 from LinkedIn. The list also includes 7,978 from ADP, the payroll service provider. According to a Trustwave blog, "Payroll services accounts could actually have direct financial repercussions."

The hacking began Oct. 21 and might still be taking place, according to CNN.

John Miller, a security research manager at Trustwave, told CNN, "We don't have evidence they logged into these accounts, but they probably did."

There are several other servers Trustwave has not yet tracked down, Miller told CNN.

ADP, Facebook, LinkedIn and Twitter told CNN they have notified users and reset passwords for compromised accounts. Google declined to comment and Yahoo did not respond immediately, CNN reported.

The majority of passwords were from the Netherlands, followed by Thailand, Germany, Singapore, Indonesia and the United States, which accounted for 859 reports from machines and 1,943 passwords, according to Trustwave. In all, just over 100 countries were affected, and Trustwave said this shows the attack is "fairly global."

In compiling the data, Trustwave also discovered that many users are doing just what computer specialists advise against – using simplistic passwords that can easily be guessed. For instance, the top five passwords Trustwave found in researching the breaches were: 123456, 123456789, 1234, password and 12345.

According to its website, Trustwave helps businesses fight computer crime, protect data and reduce security risks.

The breaches operated through software maliciously installed on computers around the world, CNN reports Trustwave said. The virus borne from the software has been sending the stolen information over to a server in the Netherlands controlled by the hackers, according to CNN.

Trustwave researchers on Nov. 24 detected the server and found compromised credentials for about 100,000 websites.

Read More

Logins stolen from Facebook, Google, ADP payroll processor

Attackers are using the 'Pony' botnet command-and-control server software

Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed "Pony."

Another company whose users' login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave's SpiderLabs.

It's expected that cybercriminals will go after main online services, but "payroll services accounts could actually have direct financial repercussions," he wrote.

ADP moved $1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.

Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.

It wasn't clear what kind of malware infected victims' computers and sent the information to the command-and-control server.

Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called "Pony," was leaked at some point, Chechik wrote.

The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.

"This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," Chechik wrote.

Information on the server indicated the captured login credentials may have come from as many as 102 countries, "indicating that the attack is fairly global," he wrote.

Read More

Prototype Malware Spreads Via Audio Signals: 

The digital world has its fair share of benefits, but do be aware that there are also dangers and pitfalls to look out for as well. Computer viruses as well as malware have evolved over the years, that even the mobile platform is not spared. Well, researchers have come up with another way that would certainly prove to be a headache for network administrators everywhere – through the creation of a proof-of-concept software which will be able to spread from one machine to another using audio signals via integrated speakers and microphones. This would certainly put a dent to the notion that computers that remain isolated from a network cannot be infected by malware. I guess with this research, it would mean the reliability of the “air gap” is no longer a surefire security measure used to ensure that sensitive information remains well protected. Inaudible audio signals were transmitted in small amounts of data over covert channels, with distances touching 65 feet even. So much for a missing Internet connection being enough of a deterrent against malware. The researchers behind this proof-of-concept did warn that attackers could arm the malware with keyloggers so that sensitive information can be recorded. They shared, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.” Now what, an isolated computer to be placed in a sound-proof room? : 

Read More

UK man accused of hacking US government computers

A British man has been arrested and charged with hacking into computer systems of the US army, Nasa, the Environmental Protection Agency and other agencies at a cost of millions of dollars to the federal government. 

Lauri Love, 28, of Stradishall, England, and his partners stole information about government employees, including military service members, since at least October 2012 by hacking into government networks and leaving behind "back doors" through which they could return to get data, a grand jury in Newark said in an indictment. 

British authorities said on Monday that Love was also charged under a UK law that allows people to be arrested for starting attacks from the UK on computers anywhere in the world. He has been released on bail until February. Attempts to reach Love for comment on Monday weren't immediately successful. 

The US government said the purpose of the attacks was "to disrupt the operations and infrastructure" of the federal government. The New Jersey indictment does not accuse Love of selling information or doing anything else with it for financial gain. 

Love was arrested on Friday at his home about 70 miles (112 kilometers) north of London. 

He's accused of working with two co-conspirators in Australia and one in Sweden, none of whom have been charged. Their names were not disclosed in the court filing that was made public on Monday. 

The indictment includes pieces of instant message conversations that Love allegedly had with his partners. 

In one, he seems to brag about infiltrating Nasa networks: "ahaha, we owning lots of nasa sites," he said, according to the government. In another exchange, he marvels at the information the group has accessed, writing "this ... stuff is really sensitive," according to prosecutors. 

Love was charged in New Jersey because he allegedly used a server in the township of Parsippany. He also faces federal charges in Virginia for other alleged intrusions.

Read More

Backdoor in D-link router allows attackers full access

D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.

The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.

Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.

Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.

The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.

D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.

“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”

Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.

“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”

Read More