IT security firm Trustwave sued for Failing to Stop Data Breach

IT security firm Trustwave has been accused of failing to properly investigate the card breach suffered by the Las Vegas-based casino operator Affinity Gaming in 2013.

Affinity Gaming filed a complaint in the district court of Nevada in December alleged Trustwave of misrepresenting themselves and failed to perform the adequate investigation, identify the breach, and falsely misinform them about the correction of the breach.

In December 2013, Affinity Gaming suffered a security breach that penetrated their payment card systems. They called Trustwave to investigate the matter.

According to the complaint filed “Trustwave informed the company that the malware was removed from its systems and that the breach was contained.”

After Trustwave completed its investigation, Affinity Gaming called Ernst & Young to conduct penetration testing. While penetration testing testers identified suspicious activity associated with a piece of malware.

Now Affinity Gaming  called FireEye-owned forensic specialist Mandiant  for further investigation.

The complaint was filed based on the latest investigation done by Mandiant.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

Affinity is looking for damages in excess of $100,000 / €92,000.

A trojan that evades security products and stole data

Spymel, a new Trojan discovered by Zscaler (a US-based cyber-security vendor), reaches computer through spam emails and remain undetected from security products.

This Trojan is attached to emails as an archive file. Once it is downloaded and decompressed, the archive file starts executing a JavaScript file that downloads and installs the actual malware executable, a .NET binary.
It is notion that the  archive file does not contain the malware, so the antivirus products fails to flag the danger. .Net binary is also not detected because of the  digital certificate that is issued by  SBO INVEST via DigiCert.

According to Zscaler  Spymel infections was  first detected in early December 2015. As soon as they informed the case to DigiCert and had the certificate revoked. But the group behind Spymel quickly updated their certificate
.
Spymel can act like a malware payload downloader , make screenshots of a user's desktop, record videos of the desktop, log keystrokes, and upload stolen data to a remote server.

Spymel is a perfect example of  malware, where malware can use archive files boobytrapped with JavaScript code and digital certificates to hide.

MagSpoof which costs $10 can steal your credit card number


Someone has made a device that costs $10 which could steal credit card information when anyone has lost his credit card and applied for a new card. And before he gets it, the device helps hacers to steal or at least guess the credit card number.

The device dubbed MagSpoof was made by Samy Kamkar. The device can predict and store hundreds of American Express credit card numbers, allowing anyone to use them for wireless payment transactions, even at non-wireless terminals.

According to the hackers, MagSpoof can spoof any magnetic stripe or credit card entirely wirelessly, it also disable chip and PIN (EMV) protection and accurately predict the card number and expiration date on American Express credit cards.

“MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc,” Kamkar said in a blog post.

MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it's being swiped. The magstripe reader requires no form of wireless receiver, NFC, or RFID. MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it.

The device actually guesses the next credit card numbers and new expiration dates based on a cancelled credit card's number and when the replacement card was requested respectively. This process does not require the three or four-digit CVV numbers that are printed on the back side of the credit cards.


The hacker has notified American Express and said the company is fixing the flaw. 

FBI denies paying $1 million to attack Tor



FBI has refused an accusation of paying at least $1 million to Carnegie Mellon University (CMU) researchers to infiltrate Tor, a free software implementation of second-generation onion routing that enables its users to communicate anonymously on the internet.

The intelligence agency told Ars Technica, that these accusations of paying the security researchers of the university to disclose the Tor users as well as Reveal their IP addresses as part of a criminal investigation was 'inaccurate'.

"The allegation that we paid (Carnegie Mellon University) $1 million to hack into Tor is inaccurate," the FBI said.

However, the Tor Project team had discovered last year in July that more than hundred new Tor relays that modified Tor protocol headers to track people who were looking for Hidden Services, web servers hosted on Tor that offers more privacy.

The attackers used a combination of nodes and exit relays along with some vulnerabilities in the Tor network protocol that let them uncovered users' real IP addresses.

After discovering the flaws, the team updated its software and rolled out new versions of code to block similar attacks in the future. But, during that time the team could not find the hackers behind the flaws.

“We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor -- but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research," the Tor team said in a blog post.

"Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent," the post added.


Now, the Tor claims to have patched the vulnerabilities but this doesn't solve the core problem.

5.6 million fingerprints stolen, but the reason is still unknown

Some people are blaming Office of Personnel Management (OPM), which serves as a sort of human resources department for the federal government,  some are saying unchangeable biometrics and others are blaming Chinese hackers behind the massive breach in U.S of the OPM’s servers during which fingerprints of 5.6 million people were stolen.

No matter, what was the reason but the tension is about those millions people whose fingerprints have been stolen. What would be the consequence? Or there is nothing to worry about?

The authority concerned needs to come up with some program to address the issue.

Now, the U.S. officials have blamed Chinese government hackers without any evidence. China has also denied to have any involvement in the breach.

The OPM has said that the federal experts believe there is low chance of fingerprints being misused. However, there is a possibility that future technologies could take advantage of this information.

The OPM had earlier confirmed that the number of people was 1.1 million only. However, the number has now increased to 5.6 million.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology, told Boing Boing. “I’m surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

Not only the fingerprints, it is said that about 21.5 million individuals had their Social Security Numbers and other sensitive information affected by the hack.

As per the OPM, now, Department of Homeland Security and Defense Department representatives are planning to review the implications of the stolen fingerprint data.

Two Ukrainian defendants to pay $ 30 million to the Securities and Exchange Commission

Ukrainian based firm, Jaspen Capital Partners Limited and Chief Executive Officer (CEO), Andriy Supranonok had agreed to pay $30 million to settle U.S. Securities and Exchange Commission (SEC) civil insider trading charges on Monday (September 14).

SEC had charged the two to have traded on information from illegally obtained news releases.
The company had become the first of 34 defendants to settle SEC charges over allegations of theft of more than 150,000 press releases from Newswire before the news became public.

Traders would sometimes create what prosecutors called “shopping lists” of companies that were expected to make announcements and pass them on to hackers.

The illegal profit generated by traders over a period of five years is estimated to be around $ 100 million while Jaspen and Supranonok made approximately $25 million buying and selling contracts-for-differences (CFDs), which are derivatives allowing for leveraged stock price bets, to trade from 2010-2015 trading on press releases stolen from newswire service.

The case was filed in U.S. District Court for the District of New Jersey, which entered an asset freeze and other emergency relief against Jaspen and Supranonok, among others. Nine of the defendants also face criminal charges, though Jaspen and Supranonok were not criminally charged.

Without admitting or denying the SEC’s allegations, the two defendants agreed to transfer $30 million of ill-gotten gains from the accounts which were frozen a month ago.

"Today's settlement demonstrates that even those beyond our borders who trade on stolen nonpublic information and use complex instruments in an attempt to avoid detection will ultimately be caught,” said SEC enforcement chief, Andrew Ceresney.

The settlement between Jaspen and Mr. Supranonok must be approved by a court.

The SEC said its civil case will continue against the other 32 defendants.