Information Technology

Home Depot has agreed to a $17.5 million settlement in a multi-state investigation of a data breach suffered by the company in 2014.

Delaware Attorney-General Kathy Jennings announced the settlement on Tuesday, in which a total of 46 states, as well as the District of Columbia, have reached a resolution with the US retailer. 
In 2014, Home Depot confirmed that a cyberattack had occurred on its payment systems, impacting customers across the US and Canada.
See also: How Home Depot navigated a demand boom during COVID-19
Starting in April 2014 and detected in September of the same year, the cyberattack mirrored what was also experienced by rival retailer Target in 2013, in which point-of-sale (PoS) systems were infected with malware designed to steal payment card data. 
Approximately 40 million Home Depot customers were impacted by the PoS malware, which remained hidden on the company’s self-checkout systems for months.  
This information can be used to make fraudulent purchases online or for the creation of clone cards, potentially leading to consumer bank accounts being pilfered and creditworthiness becoming impacted. 

CNET: Debunking the election’s most widespread voter fraud claims
Alongside the settlement, Home Depot has agreed to implement and maintain new security practices in the future. These include employing a chief information security officer (CISO), providing security awareness training, and rolling out network access security improvements, two-factor authentication (2FA) standards, and more. 
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts AG Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”
TechRepublic: Baidu Android apps caught leaking sensitive data from devices
At the time of Home Depot’s breach, online customers were not involved. Six years on, and we now commonly see payment card information being harvested across e-commerce websites in what is known as Magecart attacks. 
Instead of infiltrating corporate networks in order to strike PoS systems, Magecart operators exploit vulnerabilities in online platforms and deploy JavaScript code able to skim and steal payment information submitted by customers when they make a purchase.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Bringing the total number of banned Chinese mobiles apps since June to 220. More

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers.

The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.
These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim’s site.
On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.
But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account.
While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today.
Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner.

While this might make some website owners think the bug is not important, it’s actually the opposite since 2FA solutions were invented in the first place to protect against the use of phished credentials, and, as a result, any 2FA bypass like this bug needs to be treated with the utmost urgency and attention.
The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.
Website owners who use 2FA on their cPanel login can see if their web hosting provider has rolled out the update to their cPanel installation by checking the platform’s version number.
Per cPanel’s security advisory, the 2FA bypass issue has been patched in cPanel & WHM software 11.92.0.2, 11.90.0.17, and 11.86.0.32.
Users should not disable 2FA for their cPanel accounts because of this bug, but should instead request that their web hosting providers update the cPanel installation to the latest version.
A cPanel spokesperson was not immediately available for comment. More

Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.
The upgrades, spotted by security firm Intezer Labs, come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.
A short history of Stantinko

The Stantinko botnet was first detected in 2012. The group behind this malware began operating by distributing the Stantinko trojan as part of app bundles or via pirated apps.
Only Windows users were targeted in the beginning, with the malware using infected hosts to show unwanted ads or for installing a hidden cryptocurrency miner.
As the botnet grew in size and started generating more profits, its code evolved across the years. A considerable update was discovered in 2017 [see PDF report] when Slovak security firm ESET spotted Stantinko also deploying special versions of its malware for Linux systems.
This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.
Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.
New Stantinko Linux version

But crypto-mining botnets like Stantinko are a dime a dozen, and they aren’t usually tracked with the same vigor as ransomware gangs or botnets like Emotet or Trickbot.
The last version of Stantinko’s Linux malware was spotted back in 2017, having a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they have recently discovered a new version of Stantinko’s Linux malware, having a version number of 2.17 — a huge jump from the previous known release.
However, despite the huge version gap between the two releases, the Intezer team notes that the new version is actually leaner and contains fewer features than the older release, which is odd, as malware tends to bulk up as years go by.
One reason behind this odd move is that the Stantinko gang might have removed all the chaff from its code and left only the features they need and use on a daily basis. This includes the proxy feature, still present in the newer release, and crucial for its brute-forcing operations.
Another reason might also be that the Stantinko gang was attempting to reduce the malware’s fingerprint against antivirus solutions. Fewer lines of code mean less malicious behavior to detect.
And Intezer notes that Stantinko almost pulled it off, as the newer version had a very low detection rate on the VirusTotal aggregated virus scanner, almost going by undetected.
Posing as Apache’s web server
Furthermore, the Stantinko gang appears to have put a primer on stealth in this newer release because they also modified the process name its Linux malware uses, choosing to go with httpd, the name usually used by the more famous Apache web server.
This was obviously done to prevent server owners from spotting the malware at a regular visual inspection, as the Apache web server is often included by default in many Linux distros, and this process is usually running on Linux systems that Stantinko generally infects.
Either way, Linux system administrators need to realize that as the Linux OS becomes more widespread in enterprise environments today, more and more malware operations will begin targeting Linux, and many gangs will also bring over all their expertise and trickery from years of developing Windows malware.
What Linux server owners need to know is that despite Linux being a secure OS, malware often burrows deep inside systems because of misconfigurations. In Stantinko’s case, this botnet goes after server administrators who use weak passwords for their databases and CMSs.
In fact, this is how all malware operates, regardless of operating system.
Malware rarely exploits OS-level vulnerabilities to gain a foothold on a system. In most cases, malware gangs usually focus on:
app misconfigurations that have left open ports or admin panels exposed online;
outdated apps left without security patches;
systems/apps that use weak passwords for internet-facing services;
tricking users into taking dangerous actions (social engineering);
or exploiting bugs in the apps that run on top of the operating system.
Exploits in the Linux OS itself are rarely used, and usually after the malware has already gained access to a system through one of the methods above.
These exploits, employed as second-stage payloads, are usually employed to elevate privileges from low-level to admin accounts, so the malware can take full control of the attacked system. This is why, even if Linux (or other OS) isn’t targeted directly, it still needs to run up-to-date versions to prevent these user-to-root elevations once attackers gain a foothold on infected hosts.
Keeping systems safe from attacks is easy, as most system administrators need to keep apps up-to-date and to use strong passwords. Yet, this is always hard work because, in most cases, companies run hundreds or thousands of systems at the same time, and attackers only need to find one weak link to get in. More

Spotify has issued a rolling password reset of some user accounts following the discovery of an open database containing user credentials. 

This week, vpnMentor researchers Noam Rotem and Ran Locar made their findings public, in which an open Elasticsearch database was found during the firm’s web mapping project.
The 72GB database contained over 380 million records, “including login credentials and other user data being validated against the Spotify service,” the team said. 
See also: Unsecured database exposes 85GB in security logs of major hotel chains
According to vpnMentor, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts. 
“These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” Rotem and Locar said. 
Some, but not all, Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials — both usernames and passwords — were available to view. 

CNET: Best Android VPNs for 2020
The information was not encrypted. As a result, these records could be used to access and take over accounts, as well as perform credential-stuffing attacks should the password and email combinations be used on other platforms or to access other applications. 
However, it should be noted that the leaked data only relates to a tiny fraction of Spotify’s 299 million active monthly user base. 
vpnMentor discovered the database on July 3, and following a review, contacted Spotify on July 9. Between July 10 and July 21, the music streaming service initiated a rolling reset of passwords for the users identified in the database, ensuring the password and username combinations — at least on the Spotify platform — would become useless. 
TechRepublic: Study finds 31% of third-party vendors could cause significant damage to organizations if breached
ZDNet has reached out to Spotify and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The pandemic amplified trends that were already underway – and so 2020 has been a year of reckoning for distributed ledger technology (DLT; aka blockchain). More realistic and pragmatic approaches to blockchain initiatives have been the order of the day for some time, as, increasingly, budgets for pure R&D projects — run in isolation from the business — were becoming harder to obtain. 
Enter COVID-19, and the picture changed rapidly. Budgets for purely experimental and speculative projects have been cut this year. Long-term strategic projects, in particular those requiring changes to market structure or regulatory changes, are mostly working to extended timetables now. 

By contrast, projects with clear benefits are not only continuing but are doing so at a faster pace; there’s also been an uptick in the number of companies interested in participating in networks that help address some of the supply chain issues that the pandemic threw into sharp relief. 
The Forrester predictions on Blockchain in 2021: 

Globally, 30% of projects will make it into production. This number doesn’t just reflect the more realistic approach to projects that we noted and the increasing maturity of the technology but also the pandemic-induced acceleration and initiation of projects that bring measurable benefit within a short timescale. The majority of networks that transition from pilot to production will run on enterprise blockchain platforms.  

Permissioned blockchains will remain the order of the day. While many enterprise technology leaders have become increasingly open to exploring the role that public blockchains could have in an enterprise context in the long term, the headlines generated by decentralized finance (DeFi) during the summer have put the lid back on the discussion. The reassociation of public blockchains with the more Wild West aspects of crypto assets are scaring away compliance- and risk-aware business leaders, making it difficult for even the most ardent supporters on the tech side to maintain or pick up the topic.  

China will make the fastest progress. China’s “new infrastructure” national initiative makes blockchain an integral part of the country’s digital infrastructure. In 2021, the Chinese government will make investments in most provinces across all verticals, and we’ll see a steady stream of systems going into production. China’s ambitions to provide a global public infrastructure via its global Blockchain Service Network won’t advance far in the current geopolitical climate. The European Blockchain Services Infrastructure (EBSI) is equally bold in its mission. Convoluted procurement processes and conflicting interests, however, mean that EBSI will see some incremental progress in the form of pilot projects but no major breakthroughs. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.         
This post was written by Forrester VP & Principal Analyst Martha Bennett, and it originally appeared here.  More

Two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October after they’ve been caught collecting sensitive user details.

The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed.
According to the US security firm, the two apps contained code that collected information about each user’s phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is “rather harmless,” some data like the IMSI code “can be used to uniquely identify and track a user, even if that user switches to a different phone.”
The research team said that while the collection of personal user details is not specifically forbidden by Google’s policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and “identified [additional] unspecified violations” in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
At the time of writing, the Baidu Search Box app has been restored to the Play Store, but Palo Alto Networks said Baidu developers have removed the data collection code.

But in addition to the Baidu Push SDK, the Palo Alto Networks team said they also identified similar data collection code in the ShareSDK developed by Chinese ad tech giant MobTech.
Used by more than 37,500 apps, Achleitner and Xu say this SDK also allows app developers to collect data such as phone model information, screen resolution, MAC addresses, Android ID, Advertising ID, carrier info, and IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) codes.
“Analysis of Android malware shows that SDKs, such as the Baidu Push SDK or ShareSDK, are frequently used by malicious applications to extract and transmit device data,” Achleitner and Xu said, suggesting that while the SDKs may have been developed for legitimate purposes, such as pushing notifications and sharing content on social media, they are often abused by the developers of malicious apps.
All in all, this is a regular problem not only for the Android ecosystem, but for the entire online app world, with many apps collecting sensitive user details without restriction in the absence of legislation that specifically prohibits such practices. More

Do you use a password manager? As far as I’m concerned, it’s the single most important security precaution you can take, regardless of which hardware platforms you favor. (If you want to read my full case for why everyone should adopt this security measure, see this explainer: “Forgot password? Five reasons why you need a password manager.”)
The biggest advantage of a good password manager is that it allows you to create and save a unique, impossible-to-guess password for every online service you use. That collection of passwords is stored in an encrypted database that only you can unlock, and with your permission that database can be synced, securely, to every Windows PC, Mac, and mobile device you own.
I’ve tried a lot of password managers over the years, and there are some worthy contenders in this category. (For a full list of options, see “The best password managers for business: 1Password, Keeper, LastPass, and more.”) My favorite, and the one I enthusiastically recommend to friends, family, and co-workers, is 1Password. I ignored this program for years because it catered mainly to Mac owners. That might have been true years ago, but today, this is hands down the best cross-platform password manager solution.

My favorite password manager has it all. It works on every desktop and mobile hardware platform. It has every feature you expect from this class of software, including a robust password generator that can create and save truly random, unguessable credentials, as well as support for two-factor authentication. And it offers sync options to satisfy even the most skeptical among us.
Pricing: 1Password is a subscription product that is sold in personal and business editions. The personal options cost $36/year for a single user (on as many devices as you want) or $60/year for a family plan that supports up to five people. Business plans include a $4/month Teams option and an $8/month Business option that includes additional security features and a free Family plan for every licensed user. Enterprise customers can call for a custom quote.
View Now at iPassword
Toronto-based 1Password was founded 15 years ago, in 2005, and has built up a steady, profitable business in that time. But that didn’t stop the company from taking $200 million of series A capital in 2019 to expand into new markets.
So far, that plan has been working out extremely well.
The number-one reason why I love this app is its dead-simple usability. It’s one of the first programs I install when I set up a new Windows 10 PC or a Mac. It’s also a must-install app on iOS and Android devices. (There’s even a command-line version, if you want to incorporate authentication into scripts.) Regardless of platform, 1Password is uncannily accurate at filling in saved passwords, especially on sites with multi-step authentication flows and two-factor authentication. That was a particularly annoying pain point with other password managers I’ve used through the years.
The other killer feature is the ability to create shared password databases (1Password calls them “vaults”). In my family, we have separate password vaults for personal accounts, but the saved credentials for shared subscriptions and shopping accounts go into a shared vault. When my wife wants to check up on the status of an order I placed online, she doesn’t need to ask me to log in and check for her. She can do it herself from her Windows 10 PC or her iPhone, using the saved password from our shared vault.

One of the most controversial aspects of any password manager program is the ability to sync from the cloud, a feature that neatly balances convenience and security.  If you choose the option to store your data on 1Password’s servers, you get some extremely robust security. All data is encrypted at rest and in transit, and connecting a new device requires that you enter your private 128-bit secret key plus a master password that only you know. If you’re still nervous, you can add two-factor authentication. (I’ve configured our family account to accept the Microsoft Authenticator app or one of two hardware keys as a second factor for authentication.)

You can configure 1Password to alert you when a site supports 2-factor authentication.
But if the word cloud makes you start to itch uncontrollably, that’s not a problem. For those who are nervous about storing an encrypted password cache on 1Password’s servers, you have options: You can choose to store the database using Dropbox or iCloud instead, protected by the security features of those platforms. If you prefer the no-cloud option, you’re covered. You can sync passwords between devices on your local network only. In that configuration, 1Password never has access to your encrypted password database, and it can’t be hacked from some obscure Eastern European location.
My favorite recent addition to the 1Password feature set is the ability to generate two-factor authentication (2FA) codes. Previously, I had to rely on a separate authenticator app to handle that chore. (For details, see “Protect yourself: How to choose the right two-factor authenticator app.”)
I can’t emphasize enough how easy 1Password is to use, especially on mobile devices. If you’re flummoxed by passwords, this could be your savior.
Alternatives
If you’re looking for an alternative to 1Password, I recommend these options:
Keeper In my tests, this service was incredibly close to 1Password in terms of usability, and their enterprise story is compelling. It has a full suite of superb cross-platform apps and technical support is first-rate. Put this one on your shortlist if you’re looking for a business-focused password manager.
LastPass  I used this app for years and left, reluctantly, after a security breach shattered my confidence in the company. They’ve since been purchased by the owners of LogMeIn, and the company seems none the worse for wear. More