Jimmy Kimmel Asks What Is Your Password?


By William Knowles @c4i
Senior Editor
InfoSec News
January 17, 2015

President Obama just unveiled a number of proposals to crack down on hackers. It’s great that the government is working on this but we need to do a better job of protecting ourselves. So Jimmy Kimmel sent a camera out onto Hollywood Boulevard to help people by asking them to tell us their password.

It’s too bad there’s no legislation planned for poor password choice.

NASDAQ Vulnerable to XSS

Dream it, Do it, NASDAQ 

By William Knowles @c4i
Senior Editor
InfoSec News
January 16, 2015

Bob Greifeld, CEO of The NASDAQ Stock Market explains in a promotional video “that NASDAQ is a technology based company, those businesses that we’re in have a unifying theme that are built upon our technology.”

Top technology companies such as Google, Tesla, Amazon, and GoPro to name a few use NASDAQ as their trading exchange.

When NASDAQ “goes to a developing market and provide to them our technology, its not just the software code, its all the best practices that have been developed on a global basis that they to integrate into their operations.

With this information in mind, it doesn’t explain why a security researcher named analfabestia was able to discover and report a new XSS (Cross-Site Scripting) vulnerability on NASDAQ.com on January 14, 2015, The sixth such vulnerability in nearly seven years.

The vulnerability reported to XSSposed (XSS exposed) is still unpatched putting NASDAQ users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.

NASDAQ was previously hacked back in 2010, Bloomberg BusinessWeek covered this in July 2014.

Nasdaq (NASDAQ: NDAQ) is a leading provider of trading, exchange technology, information and public company services across six continents. Through its diverse portfolio of solutions, Nasdaq enables customers to plan, optimize and execute their business vision with confidence, using proven technologies that provide transparency and insight for navigating today’s global capital markets.

Photo: Marc van der Chijs via CompfightCreative Commons License

Happy Holidays from InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
December 25, 2014

Happy Holidays from InfoSec News…. We’re taking the rest of the week off!



ARRL Probing Web Server Breach by Hackers


By William Knowles @c4i
Senior Editor
InfoSec News
October 10, 2014

Last month a web server at ARRL Headquarters was breached by an unknown party. ARRL IT Manager Mike Keane, said that League members have no reason to be concerned about sensitive personal information being leaked, and assures members that there’s nothing of financial value on the compromised server.

Some ARRL servers were taken offline and isolated from the Internet when the hack was discovered. Some web functions were temporarily disabled. The ARRL expects to restore service by close of business, on Wednesday, October 8, 2014

ARRL’s Mike Keane stressed that it is highly unlikely that any sensitive information was compromised. Any information the hacker might have been able to glean from the ARRL server, he said, is already publicly available — data such as names, addresses, and call signs that appear in the FCC database.

The hacker may have been able to obtain site usernames and passwords that were established prior to April 2010, and that have not been changed since then. ARRL members who have not changed their ARRL website passwords since early 2010 should do so at this as soon as possible.

Keane said that in addition to reporting the security breach to federal law enforcement authorities, his department is working to increase the League’s Internet security posture.

Photo by C-Serpents via Compfight

AB Acquisition LLC and Supervalu Inc. Annouce Second Hacking Incident Involving Payment Card Data Processing


By William Knowles @c4i
Senior Editor
InfoSec News
September 30, 2014

AB Acquisition LLC and Supervalu Inc. are the newest group of retailers that have been hit by security breaches this year. This includes Aaron Brothers, Bartell Hotels, CVS, eBay, Goodwill Industries International Inc., Home Depot, Jimmy Johns, Michaels Stores, Neiman Marcus, Recreational Equipment Inc., Sally Beauty Supply, and Sears.

On September 29, 2014, AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., was notified by its third party IT services provider, Supervalu Inc. of a separate, more recent, attempted criminal intrusion seeking to obtain payment card information used in some of its stores. AB Acquisition been informed that a different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing.

Supervalu Inc. (NYSE: SVUannounced on September 29, 2014 that they also experienced a criminal intrusion into the portion of its computer network that processes payment card transactions at Supervalu’s Shop ’n Save, Shoppers Food & Pharmacy, four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, MN, where implementation of the enhanced protective technology had not yet been completed.

For these four franchised stores, Supervalu Inc. believes that the malware may have been successful in capturing account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some checkout lanes during the period of August 27 (at the earliest) through September 21 (at the latest), 2014.

Both companies discovered that, in what it believes to have been late August or early September 2014, an intruder installed different malware into the portion of its computer network that processes payment card transactions

Because the point of sale systems are different across AB Acquisition divisions, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and their two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected by this new incident.

AB Acquisition LLC and Supervalu Inc. have made no determination that any cardholder data was in fact stolen by the intruder. Given the continuing nature of the investigation, it is possible that time frames, locations, at-risk data, and/or other facts in addition to those described above will be identified in the future.

Both AB Acquisition LLC and Supervalu Inc. customers who used their payment cards at those locations listed above during the relevant time period will receive 12 months of complimentary consumer identity protection services through AllClear ID.

Creative Commons License Matt Baume via Compfight