Sonic Hack Affects Millions of Credit Cards, CryptoCurrency Mining Code Injection, Moscow CCTV Cameras and more!
Infosec News
INFORMATION SECURITY NEWS
For The Week of 9/26-10/03 2017
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
Sonic Hack May Have Affected Millions of Credit Cards
Millions of credit card numbers were stolen from Sonic, an American fast food chain with branches in 45 states. The credit card dump is being referred to as “firetigerrr” on Joker’s Stash, a marketplace for stolen credit cards. Card information can be bought for $25-$50 per card, and potential buyers can choose to only buy cards close to them, circumventing some out-of-state anti-fraud measures. The hack most likely was carried out by compromising Sonic’s point-of-sale systems, and copying data from magnetic strips when the cards were swiped.
Monero Mining Javascript Injected Into Showtime’s website
CBS’ Showtime website was recently found to contain Javascript code that used excess consumer processing power to mine Monero coin. It is currently unclear whether or not CBS put the Javascript in the site themselves thus suggesting a malicious actor injected the Javascript. The mining script that was found on their site belonged to a company known as “Code Hive” but the company themselves does not claim responsibility for the incident. Code Hive’s platform revolves around managing code that site administrators would pull in to generate income through crypto currency mining. The company suggests that using their services would be seen as an alternative to hosting ads on websites allowing companies to use customer resources to help monetize their platform.
https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/
Oracle 18c Patching through Machine Learning
During Oracle OpenWorld conference Chief Technology Officer of Oracle Larry Ellison gave a presentation on the new Oracle 18c. Oracle 18c is an automated database that will require no downtime to patch itself. Through the use of machine learning, resource efficiency, and availability Oracle 18c will be able to provide a level of security that current databases just cannot supply.
http://www.businessinsider.com/oracle-18c-database-patch-cybersecurity-flaws-2017-10
Moscow Facial Recognition Cameras Lead to Six Arrests
Moscow has been testing a “city-wide” network of CCTV cameras for nearly a year. The network of 160,000 CCTV cameras covers 95% of the entrances to apartment buildings in the city. Moscow is working with Russian startup NTechLab to perform facial recognition to potentially catch suspects. NTechLab CIO Artem Ermolaev says the project is between the testing and finished phase, and that it has already led to six arrests. Interestingly, due to cost, only a few thousand of the cameras are active at a time, mainly ones in high-crime areas, or ones located where suspects are likely to go. https://www.theverge.com/2017/9/28/16378164/moscow-facial-recognition-cctv-arrests-crime-surveillance
ADDITIONAL READING
Points of Failure for Two Factor Authentication
Two factor authentication is great for having a user prove their identity. However, the scheme is vulnerable to a man in the middle attack. If an attacker was to create a site that mimics Google’s sign in page, it can pass through the user’s information to Google’s servers when a user tries to sign in. Then, the user will receive a prompt on their phone (or an SMS code), which they either accept or type into the malicious site. The malicious site can then send the code along to Google’s servers, and they will be logged in as the user, with the user being none the wiser.
https://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html