Actually I will not spam you and keep your personal data secure
Check Point Software Technologies released a media alert regarding online shops running Ebay’s open-source software Magento.
The company discovered a massive vulnerability that allows malicious attackers to execute remote code.
If it’s exploited, this vulnerability can fully compromise the store running Magento. Attackers have the ability to completely bypass the store’s security and access the full database and administrative tools.
“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30% of the ecommerce market.” – Shahar Tal, Malware and Vulnerability Research Manager
Prior to disclosing the findings, Check Point ST announced Ebay’s development team on this issue. As a result, the company posted a patch on February 9, 2015 (SUPEE-5344 available here). If you are running Magento and have not patched your application, now is the time to do it.
With over 240 000 installs, Magento is the most popular open-source solution to ecommerce stores in the world. As you know, with popularity comes a lot of attention and especially attention from digital threats. Some of the fastest growing online retailers are using Magento as the go-to platform. Names like Alex and Ani, Warby Parker or established companies such as Christian Loubutin or Olympus have been subjected to this threat.
It’s not the first time either. This example from HackerNews shows how attackers advertised compromised shops in order to gather credit card information.
Long story short – if you are running one of the popular open-source ecommerce platforms (think Magento, Prestashop, OS commerce) – be on the lookout for security threats.
Home Depot, the largest home improvement retailer, has announced that 56 million credit card numbers have been compromised. In what is now known to be the biggest security breach in corporate history, Home Depot has been the target of an attack that lasted from April to September 2014.
Home Depot managed to beat the previous record, held by Target with 40 million compromised credit cards. As a result of Target’s security breach, the company laid off its CIO. Chairman, President and CEO Gregg Steinhafel then announced his resignation as a result of the security breach and previous unfortunate events, like losing $941 millions in a failed Canadian expansion.
September 2nd: the same man that announced Target’s breach, Brian Krebs, announces a new security breach. This time on Home Depot. The same day, Home Depot starts digging through its POS systems and on the September 8th announces that indeed, a breach has happened.
Krebs reports that the same group of Russian and Ukrainian hackers that managed to steal Target’s data were responsible for the hack. The same day a new batch of credit cards shows up online. The batch’s code name: European Sanctions.
16 days later, Home Depot announced that it managed to clear all infected systems and has “has completed a major payment security project that provides enhanced encryption of payment data at point of sale”.
The company worked with security firms, banking partners and the Secret Service to find out as much as possible about the breach. Results show that hackers used custom built, never before seen malware. This was not the work of some isolated hackers group, acting on its own. A very well organized attack has been put in motion.
Home Depot has worked with banks to provide customer support to those in need. A small local bank, Dollar Bank, as well as larger banks such as JP Morgan Chase and Capital One, have started replacing credit cards.
Although Home Depot has not been hit by the market just as heavily as Target, one can still feel the tension looming over the retailer’s security actions. Consumers are more careful in how they use their credit cards and banks have jumped on board the Apple Pay system, which promises better security.
The fact that the same group of hackers seem to have been involved in attacking Target, as well as Home Depot points to a maybe. But then you have the Secret Service involved. You have an ex-Homeland Security contractor acting as CIO with Target. You have the FBI investigating whether Russia is behind the recent JP Morgan Chase cyber attack.
But most of all – you have Edward Snowden, defected to Russia with a few gigs of classified information on US cyber intelligence actions. Some of those actions may have included packing backdoors and security flaws into US digital infrastructure. Too bad.
Yes, there there probably is a cyber war going on and the US and Europe are extremely exposed. Retailers should pay a lot more attention to their security backbones and check each potential backdoor, should they not want to suffer the same unfortunate events Home Depot, Target and others have faced.
In what could be the biggest security breach in history, Ebay may have lost personal data for 233 million accounts. Long story short – hackers got access to employees’ corporate network credentials, probably by phishing. They than accessed and extracted user data saved on Ebay databases, including addresses, date of birth, usernames, emails and passwords, which Ebay officials mentioned were encrypted. There is yet no report of hackers stealing credit card info from PayPal (an Ebay subsidiary).
Ebay was “quick” to notify its users on the breach – it only took them three months to discover and communicate what could now be the largest cyber-attack on an American company.
One can only notice the similarities between this breach and the one that previously put Target CEO out of job. In the previous biggest cyber-attack on an American company, Target lost personal data for more than 110 million of its customers, some of which included credit card info.
In the aftermath the company was heavily investigated by law enforcement as well as the secret service. The company hired a new CIO following the security breach, Bob DeRhodes, a former security analyst for the US Department of Homeland Security, US Department of Justice and the US Secretary of Defense.
The fact that Target customers’ credit card info later showed up on Russian underground forums, as well as involvement from national security specialists, points to something closer to cyber warfare than your everyday phishing.
The shady practices employed by the NSA to gather intel have probably left the Internet a less secure place. If it weren’t for Heartbleed, a vulnerability the agency has allegedly kept secret, or other backdoors, tracked and harnessed in the interest of “national security” – probably Ebay wouldn’t report losing more than 200 million accounts today.
Now I’m not saying that some groups left american tech companies with heavy security gaps. And I’m not saying that some former agent / analyst of theirs is halfway across the globe in a country known for its history of espionage and overall unfriendliness toward US. But probably someone should say it.
Last year american retailer Target was the victim of a security breach. The hack compromised personal data for over 110 million customers. What is now known to be one of the biggest security breach in corporate history has not left the company unscathed.
On December 13th, 2013, Target executives meet with the US Justice Department. The reason: discussing a hack that exposed credit and debit card data for over 40 million customers. On December 18th security analyst Brian Krebs breaks the news. The Secret Service is involved and Target gets investigated.
On Dec. 27, 2013 word’s out that PIN numbers for the stolen cards were accessed. Target acknowledges PIN’s were accessed but says they were not decrypted. Meanwhile Russian forums get flooded with millions of credit cards.
And then it gets worse: Target declares an additional 70 million customers were affected by the security breach. The company reveals poor Holiday sales. Lays off 475 employees and reports costs associated with the data loss topping $200 million.
Fortunately, employees get to wear jeans and polo shirts.
The breach left Target in a disastrous situation as profits dropped 46% in the last quarter (-$440 million), compared to the year before.
After the blast, some heads were sure to fall. First was CIO Beth Jacob, the obvious … target. To show it means business, the company brought Bob DeRodes on board, as new CIO and executive VP. DeRodes, 63, started on May 5th and now oversees the adoption of secure technology, with the help of $100 million worth of tech investments.
The new CIO is a tech security veteran, his previous endeavors including being a senior IT advisor for some organizations you might have heard of: the US Department of Homeland Security, US Department of Justice and the US Secretary of Defense.
But that was not enough. Chairman, President and CEO Gregg Steinhafel announced his resignation. The breach left both Steinhafel and the company in a vulnerable position.
The company announced the parts have reached a settlement that will probably allow the ex-CEO to walk out with over $11.7 million salary and incentive pay. Not bad for a CEO leaving a company that lost $941 million in its Canadian 2013 expansion, is under heavy fire from Amazon and Walmart and was just exposed to the biggest card robbery in history.
But than again, the man did work for Target for the past 35 years.