Crafty Hackers & Other AppSec Stories This Week

Breaches seem to be hitting every country across every industry these days. This week was no better. Not only did the biggest craft store in the U.S. disclose a breach affecting an unknown number of credit card users, but nearly 40% of South Koreans as well as 16 million Germans are dealing with the affects of major breaches in each of those countries. With the list of 2013’s worst and most overused passwords wrapping up the week’s news, let’s hope the rest of 2014 is a more secure year.

Michael’s Craft Stores Suffered Data Breach

Another breach has been uncovered, this time affecting customers that may have shopped at the popular craft store chain, Michaels Stores. Brian Krebs, who first discovered the breach, found from speaking with four different financial institutions that they were investigating credits cards being used for fraudulent purchases and that the common purchases all traced back to Michael’s.

The company responded to the claims in a statement, saying they’ve “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.” There are over 1,000 stores across the U.S. & Canada, though it’s unclear which stores were affected. Sources close to the breach are comparing it with Target’s recent breach, in that the cards being implicated in the fraud have not been confined to one store or even one particular area, instead being rather widespread.

Read More about the Michaels breach on Krebs on Security here.

CNN’s social media accounts compromised by SEA

The Syrian Electronic Army is not slowing down with their hack attacks centered on major US institutions, from last week’s Microsoft hack to this week’s CNN attack. After a story went up on CNN.com alleging that Syrian President Bashar al-Assad’s regime has been systematically torturing and killing thousands of anti-Assad detainees, the leader of the Syrian Electronic Army (SEA) took to twitter to vent his disgust. CNN’s Twitter account, that is.

“Syrian Electronic Army Was Here…Stop lying…All your reports are fake!” was the message sent to CNN’s 11.5 million Twitter followers. Subsequent tweets were sent from other CNN-run accounts, including @NatlSecurityCNN, and@CNNPolitics and CNN’s official Facebook page. After the hacking, SEA took to its own Twitter to explain the attack: “Instead of any actual journalism, #CNN turned into a loud horn calling for the destruction of the #Syrian-n state.”

The group was able to take control of the accounts with their signature move, a phishing scam asking employees of whatever business being targeted to change their passwords, sending them to a very real looking fake version of the credentials page.  A source that follows the SEA attacks told Mashable that “Typically they have two targets: Targets that they use to pivot and send and broadcast, and other targets that they’re intending to own in order to pursue whatever their motivation is.”

Read more about the SEA-CNN even here.

SnapChat’s New CAPTCHA feature Cracked in 30 Minutes, 100 LoC

After an unfixed vulnerability led to the spilling of 4.6 million SnapChat user credentials and a severe uptick in spam messages, the company behind the app has upgraded its’ security by adding a CAPTCHA element as a system for “people verification.” Unfortunately, the CAPTCHA is not as strong as its creators would have hoped and was apparently hacked within 30 minutes.

Steven Hickson, an engineer currently studying at Georgia Tech, detailed his SnapChat hack on his blog. Hickson found that because the CAPTCHA is less a CAPTCHA than a template of a very distinct mascot – the SnapChat ‘ghost’ – it is incredibly easy to program a computer to find the correct image and bypass the CAPTCHA security. Hickson claimed 100% accuracy in extracting the exact shape of the Snapshot and matching it with pre-defined templates – all while using less than 100 lines of code.  As Hickson so eloquently put it, “If it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong.”

See Hickson’s SnapChat Hack here.

Nearly Half of South Korea Compromised in Data Breach

The importance of strong internal security policies has surfaced again in light of a massive breach that leaves 40% of South Koreans at risk of fraud. A contract IT employee at the Korea Credit Bureau reportedly stole and leaked credit card data of 20 million South Koreans, taken from the three biggest credit card firms in that country. The data was then sold to marketing firms, which are now being investigated as part of the breach. The IT contractor, whom it is alleged had been stealing the data over the course of a year and a half, has been arrested.  The data was apparently unencrypted and was easily accessed by the rogue employee. The credit card firms have stated that they will cover any financial losses due to the accident.

Read more about the breach in South Korea here.

16M German Passwords & Other Details Hacked with Infected Computers

In what is becoming ‘Around the world in millions of hacks, Germany also suffered a breach this past week, affecting at least 16 million users whose email password and other details were stolen. Germany’s Federal Office for Security, or BSI, said that an investigation by law-enforcement agencies brought a massive botnet to light that had been stealing user credentials for an unknown period of time. Over half of the stolen accounts ended in .de, the German country code uses online and the BSI has set up a site where users can check their email address against the hacked database.

Read more about the German breach here.

The Time Has Come For Stronger Passwords

If this week’s stories haven’t convinced you well enough, I’m not sure you can be saved, but really guys: It’s time to stop choosing simplicity over personal security this year. The results are in and 2013’s worst password was ‘123456’. This is almost a step up from 2012’s analysis, which actually revealed ‘password’ as the most common password. It came in at #2 this year, followed by ‘12345678,’ ‘qwerty,’ and ‘abc123’ coming in at #5. Here’s your last reminder: If any of your passwords are included on this list, make the change today.

Read more about the most commonly used (and therefore WORST) passwords and tips for creating stronger ones here.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Jump to Category