More stories

  • in

    Neiman Marcus says May 2020 breach includes millions of payment card numbers and expiration dates

    Department store giant Neiman Marcus has announced a data breach involving nearly 5 million customer accounts that included payment card numbers and expiration dates alongside other personal information.

    ZDNet Recommends

    The best password manager

    Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

    Read More

    In a statement, the company said the breach occurred more than a year ago, in May 2020. The company told ZDNet that they only discovered the breach in September 2021.  Last year, the 114-year-old company filed for bankruptcy and said it owed between $1 billion and $10 billion to more than 50,000 creditors.  Neiman Marcus said it hired Mandiant to investigate the data breach and has notified law enforcement about what happened. The company said it is still trying to “determine the nature and scope” of the breach.  “The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts,” the company explained.  “Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. Approximately 3.1 million payment and virtual gift cards were affected for these customers, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted.”  The company added that they do not believe any Bergdorf Goodman or Horchow online customer accounts were included in the breach. 

    Neiman Marcus said it had created a call center to answer questions about the issue at (866) 571-9725, as well as a website for potential victims.  Quentin Rhoads, a director at cybersecurity firm CRITICALSTART, theorized that the company waited so long to notify affected customers because of the bankruptcy filing.  “From a security perspective, it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue-generating plan, which means there might be a chance attackers still have access,” Rhoads said.  “Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identity theft in conjunction with the other personal information stolen. The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems.”  The company has a long history of data breaches, including a major one in 2013 that led to the leakage of 1.1 million customer payment cards. Credit-card skimming malware had been implanted into systems in certain stores leading to the breach.  Neiman Marcus agreed to a settlement in 2019 worth $1.5 million with 43 states after the 2014 incident. More

  • in

    Password-stealing Android malware uses sneaky security warning to trick you into downloading

    ZDNet Recommends

    One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can’t infect Apple devices.  FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware.  But that isn’t the only technique cybercriminals are using to trick people into downloading FluBot malware — New Zealand’s Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages which claim the user is already infected with FluBot and they need to download a security update. See also: A winning strategy for cybersecurity (ZDNet special report).After following the link, the user sees a red warning screen claiming “your device is infected with FluBot malware” and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.   At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so “honest” about FluBot is because they want the victim to panic and follow a link to install a “security update” which actually infects the smartphone with malware.  

    This the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim’s address book.  FluBot has been a persistent malware problem around the world, but as long as the user doesn’t click on the link, they won’t get infected. Anyone who fears they’ve clicked a link and downloaded FluBot malware should contact their bank to discuss if there’s been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts.  If a user has been infected with FluBot, it’s also recommended they perform a factory reset on their phone in order to remove the malware from the device.  It can be difficult to keep up with mobile alerts, but it’s worth remembering that it’s unlikely that companies will ask you to download an application from a direct link — downloading official apps via official app stores is the best way to try to keep safe when downloading apps.  More on cybersecurity: More

  • in

    iOS 15: Ultimate privacy and security

    iOS 15 brings several new security features to the iPhone. But ultimately, the security of a device is in the hands of the owner, who can choose to bolster that security or weaken it. Here’s what you need to know to make your iPhone a harder target for hackers and thieves. Note that these settings also mostly apply to the iPad.

    The basics First off, everything starts off with the basics. These haven’t changed in years. Use a strong passcode using Custom Alphanumeric Code (if this is easily guessable, it’s game over). If you think someone knows your passcode, change it.Go to Settings > Face ID & Passcode (or Touch ID & Passcode).Turn on Face ID/Touch ID.Turn on screen Auto-Lock.Go to Settings > Display & Brightness and tap Auto-Lock and set to 30 seconds or 1 minute.Make sure iOS is up to date.Go to Settings > General > Software Update and make sure Automatic Update is enabled.Keep all your apps updated.Go to Settings > App Store and make sure App Updates are enabled. Keep an eye on apps that might be spying on you A new feature in iOS 15 is the ability to log what apps are up to on your iPhone. The feature is called Record App Activity, and this allows you to get a lot of when an app does one of the following: The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingTo enable this feature, go to Settings > Privacy and then scroll down to find Record App Activity. Built-in authenticator

    iOS 15 brings an end to having to fire up a third-party two-factor authenticator app. Now Apple has built one right into iOS, and better still, it can even autofill the information for you. Got to Settings > Passwords, and then for each password entry, you can tap on it to get access to an option called Set Up Verification Codes… which allows you to enter the information required either using a setup key or QR code. Using a two-factor authenticator is far more secure than relying on SMS messages, so you should use this feature — either using Apple’s authenticator or another app — to get the highest security. Hide your IP address from trackers Safari can now cloak your IP address from trackers on websites, making it pretty much impossible for your browsing to be logged. Go to Settings > Safari and set Hide IP Address to From Trackers. Secure your browsing If you have an iCloud+ subscription, Apple has just given you a great reason to use the Safari browser — iCloud Private Relay. This is like a VPN in that it sends your web traffic through other servers to keep your location secret. To enable iCloud Private Relay, you’ll need an iCloud+ subscription. Then go to Settings, and at the top, tap your name and then go to iCloud and enable Private Relay. Put a stop to email trackers Protect Mail Activity is a feature built into the Mail app that prevents people from knowing if emails have been opened. To enable this feature, go to Settings > Mail, tap on Privacy Protection and enable Protect Mail Activity. If iCloud Private Relay is a good reason to switch to Safari, then this feature is a good reason to switch to Mail. More

  • in

    FCC aggressively moves to block spam calls

    Yesterday, I had a dozen — count ’em a dozen — spam calls. My carrier, Verizon, does a good job of marking most of them as spam, but it’s not perfect. Some calls get through. Now, if I were like most of you, I’d just ignore any call from an unknown number. Alas, I’m not. I’m a journalist, so I sometimes get calls that I must take from numbers I’ve never seen before. Sometimes you must do that too. But, now the Federal Communications Commission (FCC) is finally putting a stop to many spammers. 

    The FCC is doing this by forbidding legitimate telecom companies from taking calls originating from voice service providers whose certification doesn’t appear in the FCC’s Robocall Mitigation Database. This means “voice service providers will be prohibited from directly accepting that provider’s traffic.” Technically that works because telecoms must now block traffic from “voice service providers that have neither certified to implementation of STIR/SHAKEN caller ID authentication standards nor filed a detailed robocall mitigation plan with the FCC.” Secure Telephone Identity Revisited (STIR)/ Signature-based Handling of Asserted Information Using toKENs (SHAKEN) is Caller-ID on steroids — it’s a protocol for authenticating phone calls with the help of cryptographic certificates. It’s meant to make certain that when someone calls you, the name showing up on Caller ID really is the person calling. It also lets your phone company know, in theory, who’s responsible for a specific call. STIR/SHAKEN works with both landline and cellular networks.  Acting FCC Chairperson Jessica Rosenworcel said, “The FCC is using every tool we can to combat malicious robocalls and spoofing – from substantial fines on bad actors to policy changes to technical innovations like STIR/SHAKEN. Today’s deadline establishes a very powerful tool for blocking unlawful robocalls. We will continue to do everything in our power to protect consumers against scammers who flood our homes and businesses with spoofed robocalls.” Much as I’d like to think that this would drop my spam call count to zero, I know better. For example, while digital telecoms must now be using STIR/SHAKEN, old-school.   Older time-division multiplexing (TDM)/public switched telephone network (PTSN) based networks are still grandfathered in. The FCC requires that “providers using older forms of network technology [must] either upgrade their networks to IP or actively work to develop a caller ID authentication solution.” Still, no date has been set for this changeover. In addition, as Brad Reaves, North Carolina State University professor of computer science, warned in a Marketplace interview, “There are just too many loopholes and ways to bypass this system.” These include smaller voice providers that still aren’t required to implement STIR/SHAKEN. Besides that, some providers provide US phone service to people living outside the country. They’re not required to participate in STIR/SHAKEN either.

    Still, this new FCC move is a step forward. Will it end up substantially reducing spam calls? We’ll soon know if our phones finally stop ringing non-stop with junk calls. We live in hope. Related Stories: More

  • in

    Chief exec of cybersecurity Group-IB arrested on treason charge

    The chief executive of Group-IB has been arrested by law enforcement on suspicion of state treason. 

    ZDNet Recommends

    Ilya Sachkov, a co-founder of the prominent Russian cybersecurity company, was arrested on Tuesday at Group-IB’s Moscow office.  The company has confirmed the incident, adding that local law enforcement conducted a search of the property on the same day. At the time, Group-IB — with headquarters in Singapore — said that the “reason for the search was not yet clear.” State news agency TASS cited an unnamed source in the country’s security forces when reporting that Sachkov’s arrest is based on suspicion of treason, specifically the transfer of classified information to foreign agencies which allegedly “employed” the executive.  However, the agency says he has not “admit[ted] guilt in transferring intelligence data to foreign special services.” The case against the cybersecurity executive is confidential, and so there are no further details available concerning the allegations.  A court order will keep the 35-year-old in custody for two months. 

    Sachkov was picked for the 2016 edition of the Forbes Under-30 entrepreneur list and has previously met Russia’s President, Vladimir Putin.  Group-IB maintains the innocence of its executive, as well as his “business integrity.” “Group-IB’s communications team refrains from commenting on the charges brought and the circumstances of the criminal case due to the ongoing procedural activities,” the firm added. In the meantime, lawyers for the firm are on the case, and Group-IB co-founder Dmitry Volkov will assume leadership, at least, for now.  The cybersecurity company says that all of Group-IB’s divisions will continue to operate as normal.  Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Google just patched these two Chrome zero-day bugs that are under attack right now

    For the second time this month, Google has patched two previously unknown or ‘zero-day’ security flaws in Chrome that are already being exploited by attackers.      Google has released a stable channel Chrome update for Windows, Mac and Linux machines to address two zero-day flaws affecting the most popular browser on the web.  The update pushes Chrome up to version 94.0.4606.71. Due to the attacks, it’s prudent for organizations and consumers to update as soon as it becomes available. Google says it will roll out in the “coming days/weeks”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes The update includes four security fixes for Chrome, including the two zero-days. One of them, a high-severity flaw tracked as CVE-2021-37975, stems from Google’s hard-to-protect V8 JavaScript engine that was reported by an anonymous researcher.  Another medium-severity flaw, tracked as CVE-2021-37976, is an “information leak in core” and was reported by Google’s Threat Analysis Group (TAG) with assistance from Google Project Zero security researchers.      “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google said in release notes.

    These latest two flaws mean Google has patched 12 zero-days in Chrome since the beginning of 2021. Google patched two zero-day Chrome flaws on September 13, marking its 10th zero-day patch for the year.   TAG is the group at Google specializing in tracking state-sponsored attackers and has previously uncovered nefarious activity from North Korean hackers and attacks on iOS, and mainstream browsers.  Google Project Zero researcher Samuel Groß recently kicked off a project to resolve V8 bugs, which he noted are particular dangerous.  “V8 bugs typically allow for the construction of unusually powerful exploits,” Groß warned. These bugs are also resistant to modern hardware-assisted mitigations.    Details of the two new Chrome bugs haven’t yet been added Google Project Zero’s “0-day in the wild” tracker. After adding these Chrome bugs, the list would include a total 48 zero-day bugs found to have been exploited in the wild since the beginning of 2021. These bugs have affected software and hardware from from Google, Apple, Adobe, Microsoft, Qualcomm, and ARM. SEE: Half of businesses can’t spot these signs of insider cybersecurity threats Google Project Zero and TAG says there has been an uptick in zero-day exploits this year, but what that means in terms of offense and defense is less clear. “There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that’s how they’re most useful,” Google’s security researchers wrote.  The rise in zero-days could be because defenders are getting better at identifying and detecting them. But it could also be because attackers are using them more frequently because there are more platforms to attack and there are more commercial outfits selling governments access to zero-days, thus reducing the need for technical skills to use them. More

  • in

    Android, Java bug bunting tool Mariana Trench goes open source

    Facebook has released the Mariana Trench bug hunting software to the open source community.

    This week, Dominik Gabi, Facebook software engineer said in a blog post that Mariana Trench was originally an internal tool for the company’s security engineers but has now been released to the public “to help scale security through building automation.” Mariana Trench (MT) is a tool for finding vulnerabilities in Android and Java, with a particular focus on examining code in Android applications. According to the tech giant, MT is able to scan “large mobile codebases” and will alert users to potential security problems found in the code by analyzing data flows prior to production.  MT hones in on data flows as a common source for bugs, whether this is due to incorrect data exposure or collection, or if they contain flaws that allow for the injection of malicious packages. MT scans the source of information and its sinks, tracking possible paths and then will compute models using static analysis to hunt for errors and issues in the codebase. “A security engineer would start by broadly defining the boundaries of the data flows she is interested in scanning the codebase for,” Facebook explained. “If she wants to find SQL injections, she would need to specify where user-controlled data is entering the code, and where it is not meant to go. However, this is only the start — defining a rule connecting the two is not enough. Engineers also have to review the identified issues and refine the rules until the results are sufficiently high-signal.” Facebook warns that this tool is only one addition to a security engineer’s arsenal, and false positives prior to production need to be considered.  “In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives,” the company says. “This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.”

    MT is now available on GitHub and a binary distribution has also been released on PyPI. In addition, Facebook has released the Static Analysis Post Processor (SAPP), an analysis tool for analyzing MT results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Digital transformation is creating new security risks, and businesses can't keep up

    Business strategies around technology are constantly evolving. Usually it’s a process that takes time, carefully plotted out in order to avoid disruption.But that wasn’t the case when many office workers were rapidly shifted over to remote working for the past 18 months. Employees who might not have experienced remote working suddenly found themselves working from a laptop on their living-room table, kitchen worktop or bedroom as a result of the pandemic.  

    Special Report

    Digital Transformation: A CXO’s Guide

    Reimagining business for the digital age is the number one priority of many of today’s top executives. ZDNet offers practical advice and examples of how to get your digital transformation right.

    Read More

    The sudden shift may have helped organisations keep operating, but for many it also came at the expense of cybersecurity. SEE: A winning strategy for cybersecurity (ZDNet special report)Organisations had to transform their business processes, but security didn’t necessarily keep pace, says Ian Wood, head of technology for UK and Ireland at enterprise data management software company Veritas.”That was more of an afterthought — it was all about ‘how do I get up and running, how do I transform the business?’ Not thinking about how to secure things,” he adds. And it’s not just offices that were forced to change. For example, bars and restaurants suddenly found that, due to social distancing rules, they had to alter how they worked. Customers couldn’t queue up to order their food and drinks, so pubs and bars had to provide digital ordering services.

    “Pubs which didn’t have much IT infrastructure suddenly had to adopt a huge amount of it,” says Wood. But without guidance some struggled, with privacy activists expressing concerns over the amount of information these applications were collecting — particularly when a lack of experience with collecting and storing all this data could lead to issues with information not being correctly secured.The rush to build new systems caused by the pandemic is an extreme example of digital transformation — one done with a deadline of days, rather than months or even years. However, the same problem — cybersecurity as an afterthought — is also a significant risk in long-term projects.Some boardrooms are focused primarily on efficiency and the bottom line — and when spending on applications and tools to help keep the company secure cuts into those areas, there’s reluctance to spend the money. 

    Digital transformation

    “There’s this split between the business decision and the view of the business risk, and then the view of the cyber risk, and at the moment, the two can’t combine, don’t collaborate and don’t come together in the way that they need to,” says Lorna Rea, consultant for central government at BAE Systems.That split in decision making means that in some cases of digital transformation, rolling out new ways of doing things takes priority over making sure the methods of doing business are secure. For example, digital transformation projects tend (obviously and inevitably) to involve doing more with technology. From a security point of view, that means they can expand the potential attack surface of the organisation — unless that risk is understood and tackled. “Security just isn’t keeping pace with the digital transformation. Organisations have finite resources, and it’s very difficult to mobilise the limited resources,” says Alastair Williams director of solutions engineering for EMEA at Skybox Security.But even if organisations have limited resources, that doesn’t mean that cybersecurity should simply be ignored: the cost of falling victim to a data breach or ransomware attack could cost a business much more than implementing cybersecurity practices ever would. And that’s without the ongoing damage that could be caused if consumers and partners lose faith in a business because it fell victim to an avoidable cyberattack.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackDigital transformation in many cases means investing in cloud computing services. And the basics of securing cloud services is a well understood, if sometimes, ignored practice.For example, securing the cloud means ensuring that multi-factor authentication (MFA) is applied to every user. Then, if usernames and passwords are breached, there’s an additional step that can prevent attackers gaining direct access to the network. Some executives might grumble that MFA cuts down productivity, because people need to take a little time out to verify their identity — but it’s one of the most effective actions that can be taken to help prevent unauthorised access to company services.Ultimately, when looking at digital transformation, one of the best ways to help ensure data protection is prioritised is to invest in an information security team and involve them in every step of the journey. There might sometimes be tension between the business and information security units, but such integration will ultimately ensure that security is baked into the whole process.”Have your security consultants embedded, so the decisions are being made together as a collaborative team,” says Rea. One of the key benefits of digital transformation is that employees can collaborate from anywhere. But to make sure they can do that securely, cybersecurity needs to be a key part of the process from the very start. More