Author: Michael

The Albertsons grocery chain said Friday that hackers attempted to obtain customer credit and debit card information from its approximately 180 Southern California stores, as well as those in several other states.

The data breach started as early as June 22 and ended July 17 at the latest, Albertsons said.

Albertsons, based in Boise, Idaho, said it has no evidence any customer data was misused, or even stolen. The company said it believes that the breach has been contained, and that customers can safely use their cards in its stores.

The breach is the latest to hit large U.S. retailers, including Target Corp., and has renewed concerns about the safety of credit card information. The threat extends beyond big business — smaller independent shops have been hit by cyber theft as well, according to a California database.

via Southern California Albertsons stores hit by data breach – LA Times.

The U.S. National Science Foundation’s Secure and Trustworthy Cyberspace (SaTC) program has announced new projects designed to support cybersecurity research and education and address grand challenges in cybersecurity science and engineering. SaTC has awarded Frontier awards to help establish the Center for Encrypted Functionalities (CEF), and to the Modular Approach to Cloud Security (MACS) project. CEF’s goal is to use new encryption methods to make a computer program invisible to outside observers without compromising its functionality, through program obfuscation, which involves creating software that can hide vulnerabilities from potential adversaries and strengthen encryption and information transfer. CEF also plans to introduce cybersecurity and computer science to under-represented groups and to develop free Massive Open Online Courses on the fundamental principles of encryption. Meanwhile, MACS will build information systems for the cloud with multilayered security, and plans to use the Massachusetts Open Cloud as a testbed. MACS will build the cybersecurity system from separate functional components to develop an entire system derived from the security of its components.

Expanding cybersecurity and privacy research » CCC Blog.

A very interesting script written by Bojan Zdrnja — the script itself can be found on GitHub. Note that I had to upgrade  namap to nmap-6.25 with the command 

brew install nmap

In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server’s private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to exchange symmetric keys), then the attacker can easily decrypt *all* previous SSL/TLS connections. That’s bad.

However, the whole process of choosing a cipher is not all that trivial. By default, the client will present its preferred cipher to use and as long as the server supports that cipher it will be selected. This is, obviously, not optimal in environments where we want to be sure that the most secure cipher will always be selected, so administrators quite often enable their servers so they get to pick the preferred cipher.

This allows an administrator to enable only ciphers he wants to have used, and additionally to define their priorities – the server will always try to pick the cipher with the highest priority (which should be “the most secure one”). Only if the client does not support that cipher, the server will move to the next one and so on, until it finds one that is supported by the client (or, if it doesn’t, the SSL/TLS connection will fail!).

This is good and therefore I started recommending web server administrators to configure their servers so that PFS ciphers are turned on. However, at several occasions I noticed that the administrators incorrectly set the preferred cipher suite order on the server. This can result in non-PFS cipher suites selected, although both the server and the client support PFS.

via InfoSec Handlers Diary Blog – Verifying preferred SSL/TLS ciphers with Nmap.

A team of researchers at the New York University Polytechnic School of Engineering say they have found a way to help organizations better protect passwords.

Using an open-source password protection scheme they dubbed PolyPasswordHasher, the researchers believe they can make it much more difficult for hackers to decode even the shortest individual passwords. The PolyPasswordHasher is currently being tested as part of the Password Hashing Competition, a global effort organized by security professionals to identify new password protection schemes.

According to the researchers, most passwords are stored in databases using a salted hash, a one-way encryption technique that offers protection in the event a database is hacked. However in cases where attackers gain privileged access to a running system, they can intercept an administrator’s password information before that protection is in place.

With PolyPasswordHasher, password information is never stored directly in a database; the information is used to encode a cryptographic “store” that cannot be validated unless a certain number of passwords are entered. In other words, an attacker would need to crack multiple passwords simultaneously in order to verify any single hash.

via New Protection Scheme Makes Weak Passwords Virtually Uncrackable | SecurityWeek.Com.

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

via Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED.

The modern Internet is proving to be a hacker’s playground, and cybersecurity is no longer an afterthought for the private sector or government agencies.

The expanded commercial opportunities and medical advancements offered by the much anticipated Internet of Things will also present new security challenges for future cyber warriors. And, considering recent cases in which hackers were as young as 15, it’s imperative that schools and companies encourage kids to protect online data rather than exploit it.

via As Technology Advances, Cybersecurity Jobs Take Center Stage – US News.