- PayPal-owned company TIO Networks data breach affects 1.6 million customers
- Security Affairs newsletter Round 139 – News of the week
- UK National Cyber Security Centre (NCSC)’s letter warns against software made in hostile states, specifically Russia
- Halloware Ransomware, a new malware offered for sale on the Dark Web for Only $40
Posted: 03 Dec 2017 08:25 AM PST
PayPal confirmed that one of the companies it owns, TIO Networks, suffered a security breach, that affected 1.6 million customers.
PayPal confirmed that one of the companies it owns, TIO Networks, suffered a security breach, hackers have accessed servers that stored information for 1.6 million customers.
The company TIO Networks was recently acquired by PayPal for $238 million, it is a Canadian firm that runs a network of over 60,000 utility and bills payment kiosks across North America.
On November 10, PayPal suspended the operations of TIO’s network due to the discovery of "security vulnerabilities” affecting the TIO platform and issues with TIO's data security programme that does not follow PayPal's security standards.
"While we apologise for any inconvenience this suspension of services may cause, the security of TIO's systems and the protection of TIO's customers are our highest priorities.” said TIO Networks.
“We are working with the appropriate authorities to safeguard TIO customers.”
"The PayPal platform is not impacted by this situation in any way and PayPal's customers' data remains secure.
“Our investigation is ongoing. We will communicate with TIO customers and merchant partners directly as soon as we have more details. Customer updates will also be posted at www.tio.com."
The Canadian firm disclosed the data breach, but did not provide any other details.
On Friday, December 1, PayPal published a press release that includes more details on the hack.
“PayPal Holdings, Inc. (Nasdaq: PYPL) today announced an update on the suspension of operations of TIO Networks (TIO), a publicly traded payment processor PayPal acquired in July 2017. A review of TIO's network has identified a potential compromise of personally identifiable information for approximately 1.6 million customers.” reads the press release.
“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal's customers' data remains secure.”
TIO systems are completely separate from the PayPal network, this means that PayPal's customers' data were not affected by the incident.
PayPal confirmed that the attackers stole the personal information of both TIO customers and customers of TIO billers, but it avoided to disclose what type of information the hackers compromised.
Likely attackers accessed personally-identifiable information (PII) and financial details.
PayPal is notifying affected customers of the data breach and is offering free credit monitoring memberships.
The customers of TIO Networks can visit the TIO Networks website for more information on the data breach.
“TIO has also begun working with the companies it services to notify potentially affected individuals, and PayPal is working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.” continue the Press Release.
(Security Affairs – TIO Networks, data breach)
The post PayPal-owned company TIO Networks data breach affects 1.6 million customers appeared first on Security Affairs.
Posted: 03 Dec 2017 05:38 AM PST
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Once again thank you!
The post Security Affairs newsletter Round 139 – News of the week appeared first on Security Affairs.
Posted: 03 Dec 2017 04:52 AM PST
The UK National Cyber Security Centre (NCSC) warns of supply chain risk in cloud-based products, including antivirus (AV) software developed by Russia.
We have a long debated the ban of the Russian security software from US Government offices, now part of the UK intelligence is adopting the same strategy.
Last week the CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.
The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.
The letter warns against software made in hostile states, specifically Russia, as the Prime Minister's Guildhall speech set out, the Government of Moscow is acting against the UK's national interest in cyberspace.
The Letter provides an advice to the Government agencies and offices, but isn’t a ban for specific solutions.
The letter highlights the intrusive nature of antivirus software that is necessary to detect malicious code, it is important to remain vigilant to the risk that AV products developed by a hostile actor could person a wide range of malicious activities.
“The job of AV is to detect malware in a network and get rid of it. So to do its job properly, an AV product must (a) be highly intrusive within a network so it can find malware, and (b) be able to communicate back to the vendor so it knows what it is looking for and what needs to be done to defeat the infiltration. It is therefore obvious why this matters in terms of national security. We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.” reads the letter.
“That's why the country of origin matters. It isn't everything, and nor is it a simple matter of flags – there are Western companies who have non-Western contributors to their supply chain, including from hostile states. But in the national security space there are some obvious risks around foreign ownership.”
“The specific country we are highlighting in this package of guidance is Russia.”
The official warns of the risk of exposure of classified information to the Russian state that would be a risk to national security, for this reason a Russia-based AV company should not be chosen. It is an obvious reference to the Kaspersky case.
The Letter suggests banning the software developed by Russia-based companies from any system processing information classified SECRET and above.
“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.” continues the Letter.
“This will also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.”
Martin confirmed that the NCSC is currently discussing with Kaspersky Lab about whether the UK Government can develop a framework that can be independently verified giving the Government assurance about the security of the involvement of the Russian firm in the wider UK market.
“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state. We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.” continues the Letter.
In response to the current situation, Kaspersky launched the Transparency Initiative in late October that allows government agencies to review the its security software for backdoors.
(Security Affairs – NCSC, Cyber espionage)
Posted: 03 Dec 2017 12:33 AM PST
The Halloware ransomware is a new malware offered for sale in the dark web, the author that goes online with the moniker Luc1F3R is selling it for just $40.
According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week through a dedicated portal on the Dark web. Luc1F3R claims to be a 17-year-old college student from Northeast India.
“Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube.” reported Bleeping Computer.
“The sites are offering a lifetime license for the Halloware ransomware for only $40.”
The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.
Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.
One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.
Another file named ran.py seems to be Halloware’s source code.
“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.
The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.
Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper, also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.
Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding their customized payment site URL.
Anyway the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.
According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.
Further details, including IoCs are available on the Bleeping Computer website.
(Security Affairs – Halloware Ransomware, Dark Web)
The post Halloware Ransomware, a new malware offered for sale on the Dark Web for Only $40 appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|