Hackers hit Tesco as over 2,200 accounts compromised

Tesco, an international supermarket chain, has been forced to deactivate online customer accounts after hackers took aim at its systems.
The company confirmed to The Guardian on Friday that over 2,200 of its accounts were compromised. Interestingly, it’s believed that the hackers didn’t actually break into its systems, but instead used data collected from other hacks to see if they could get any hits. The affected accounts used the same username and password combination as those in previous hacks, allowing the hackers to break in.
Rather than snoop around, however, the hackers posted the compromised accounts online, giving both personal details and usernames and passwords.
The Tesco hacks comes just a couple of months after a massive data breach at Target left up to 110 million people with personal information open to hackers. Target is still investigating that breach and has closed down the gaps that allowed the hackers in. Still, it’s possible that the data leaked to the Web by those hackers is being used in a fashion similar to the way Tesco data was stolen.
According to Tesco, it has contacted the affected customers. The company has not said when the online accounts will be reactivated.

Kickstarter hacked, user data stolen

Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday.
Though no credit card info was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.
“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” the site said in a blog post, adding that “as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.”
The site said law enforcement told Kickstarter of the breach on Wednesday night and that the company “immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.” The site also said “no credit card data of any kind was accessed by hackers” and that “there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”
You can read additional information about resetting a password here. We’ve contacted Kickstarter for more info on the attacks and will update this post when we hear back.

Kaspersky Details Sophisticated ‘Mask’ Robber Ops

Kaspersky Lab has released research findings on Careto, a malware toolkit that has hit more than 380 victims in 31 countries so far since 2007.

“Careto” means “mask” in Spanish, Kaspersky notes.

The word also could point to an ancient tradition incorporated into Portuguese and Brazilian Carnival festivals.

The malware targets government institutions; embassies; the energy, oil and gas sectors; private companies; research institutions; private equity firms; and activists, Kaspersky’s report states.

The attackers are highly sophisticated, according to the firm, which speculates a nation-state may be behind the malware.

“The attackers are really professionals,” Jaime Blasco, director of AlienVault Labs, told TechNewsWorld. “They were able to anticipate Kaspersky’s public disclosure, and they shut down all the infrastructure within four hours of Kaspersky’s publishing a short press release announcing the discovery of the Mask.”

What Makes Up the Mask

The Mask consists of a rootkit and a bootkit, Kaspersky says.

There are 32-bit and 64-bit Windows versions, as well as versions for OS X and Linux.

The malware attacks Android and iOS operations systems, Dmitry Bestuzhev, Kaspersky Lab’s head of research center, Latin America, told TechNewsWorld.

Careto “used exploits for iOS and also Chrome, which previously only had few known vulnerabilities,” he pointed out. “The cost to develop such attacks is pretty high. One has to have very deep pockets to make this attack real.”

Detection is difficult, because “malware like this has the ability to morph based on its environment,” Ken Westin, security researcher for Tripwire, told TechNewsWorld. “It can sniff out what is on the systems and network, and send data to a remote server where it can receive specific exploit code for the targeted system.”

Further, malware can constantly change when downloaded to new systems, so its signature is never the same, Westin said.
The Things Mask Does

Mask uses a customized attack against older versions of Kaspersky Lab products to hide in the system.

It can intercept network traffic, keystrokes, Skype conversations and PGP keys, according to Kaspersky. Mask also can analyze WiFi traffic, fetch information from Nokia devices, capture screens and monitor file operations.

It’s likely that the Nokia phones were specifically included because the attacker “must have previously known that their victims used Nokia mobile devices, so they had to make something 100 percent effective and running on this platform,” Kaspersky’s Bestuzhev said.

Mask collects encryption keys, VPN configurations, SSH keys; and RDP files. It has several extensions that Kaspersky has not yet identified.

“After reading the paper, [I believe] it is indeed the most complex piece of malware ever discovered,” Sorin Mustaca, an IT security expert at Avira, told TechNewsWorld.
How the Malware Attacks

Mask relies on spearphishing emails containing links to a malicious website, Kaspersky said.

Infected visitors later are redirected to a benign website, which could be a YouTube movie or a news portal.

Some malicious websites have subdomains simulating subsections of the main newspapers in Spain, as well as The Guardian and The Washington Post, in order to look genuine.

Mask leverages three separate backdoors. Careto, is a general purpose backdoor that collects system information and executes arbitrary code provided by the C&C servers. Another, called “SGH,” works in kernel mode. It contains rootkit components and interceptor modules, steals files, and maintains its own connection to C&C servers.

The third is a custom compiled backdoor based on the sbd open source netcat clone that is available in Win32, OS X and Linux variants, notes Kaspersky.

To minimize the chances of detection, the malware is signed digitally with a valid certificate from an obscure company called “TecSystem Ltd.,” reports Kaspersky.

Internet of Things, Part 1: God’s Gift to the NSA

The United States National Security Agency’s salivary glands no doubt started working overtime when it became apparent that technological advances were moving the world toward an Internet of Things — a world where everything would be connected to everything else wirelessly or over the Web.

Almost two years ago, David Petraeus, then director of the U.S. Central Intelligence Agency, enthused that the IoT would transform surveillance techniques, Wired reported.

The smart home, and smart devices in it, would send tagged data with geolocations that could be intercepted in real time. Items of interest could be located, identified, monitored, and remotely controlled through technologies such as sensor networks and tiny embedded servers, Petraeus said.

The mention of tiny embedded servers may have come to people’s minds last month, when news that the NSA had surreptitiously embedded microphone-bearing circuit boards and USB cards into PCs to spy on their users made the headlines.

Cracking the IoT Nut

Getting into IoT devices is not at all difficult.

When consumers’ washing machines, dishwashers, thermostats, lights and coffeemakers are all linked to the Internet, either independently or through the home entertainment center’s routers, tracking just about every aspect of a target’s life will be a breeze.

“Most home users buy a router and use the default settings,” Tommy Chin, technical support engineer at Core Security, told TechNewsWorld. “Sometimes the settings are misconfigured by the manufacturer, and they will be exploited by hackers.

The NSA, of course, is the granddaddy of all hackers — angrily described by Microsoft as an “advanced persistent threat.”

Newer devices made for the IoT “usually run operating systems line Linux” and are deficient in terms of cybersecurity, remarked Ken Westin, security researcher for Tripwire.

Symantec in November found a new Linux worm, Darlioz, that appeared to have been built to target the IoT.
Hot Rod Blues

Automakers are pushing smart cars, and Microsoft, Apple and Google are fighting for a share of the in-vehicle infotainment and telematics market, which Accenture has predicted will exceed US$80 billion this year.

Samsung and BMW have jointly developed the “iRemote” application, which lets owners of Samsung’s Galaxy Gear smartwatch monitor the doors and batteries of their i3 electronic car and change the vehicle’s indoor temperature using the device.

Meanwhile, the auto insurance industry is pushing smart devices that plug into a standard car port and monitor how fast and far a car goes, and how it is driven. These devices also report on the car’s location.

The amount of user data gathered on people in cars by telematics systems, personal navigation devices and smartphones has spurred an investigation by the U.S. Government Accountability Office, which in December submitted a report to the Senate on this issue.
No Place Like Home

On the home front, LG has rolled out its HomeChat service, which connects users to their kitchen products through the Line” smartphone messaging app.

Recollect that LG TVs could spy on their owners, and that the company in November was forced to address this issue.

Google recently laid out $3.2 billion for Nest, which makes smart thermostats and smoke alarms that come with a mobile app. The move sparked speculation that Google wanted to better track consumers for the purpose of serving up ads to them.

However, the purchase also could be useful to the NSA, as it would allow it to get even more information on targets when it serves Google with demands for information about them — a fact not lost on security and privacy advocates.

Nest CEO Tony Fadell waffled when asked last month whether the company would provide information on user habits to Google, only denying that integration of both companies’ data was then on the table.
Fashionista Hell

Things will get even more up close and personal. At CES 2014 earlier this year, Intel talked about its plans for wearable devices.

Also, the French National Research Agency is funding research on cooperation in and between wireless body area networks in Project Cormoran.
Saving Us From Ourselves

The fact that IoT technologies are ripe for exploitation by the NSA is just the beginning. The agency now has equipment that lets it ravage the IoT.

The Nightstand — one of the products in its 50-page catalog of spying devices — is a standalone x86 laptop running Linux Fedora Core 3 that can be used to attack PCs running various flavors of Windows. In field operations, it has been used to inject packets into targets up to eight miles away.

The NSA also is reported to be harvesting millions of text messages worldwide daily.
The White House’s Stance

Pressured by rising anger over the NSA’s surveillance activities, President Obama in January outlined some measures to restrict the agency.

However, it was clear that the surveillance would not be terminated.

The U.S. needs to be able to collect data on potential terrorists’ communications, Obama said.
Protect Yourself at All Times

Users should protect their home networks to prevent hacks through the IoT, Tripwire’s Westin told TechNewsWorld.

They must change the default passwords on home routers; enable the built-in firewalls on the routers; and update their firmware when patches are available.

Sorin Mustaca, an IT security expert at Avira, lists cybersercurity recommendations here.

Manufacturers should use tamper-resistant licensing code for applications that sit at the operating system level, Mathieu Baissac, a security expert at Flexera Software, told TechNewsWorld.

Among other things, Baissac said, manufacturers also should ensure that applications on their devices, mobile device management systems and other products “have an easy, automated mechanism for getting the latest security patches and updates as fast as possible.”