While the Heartbleed bug again dominated the news this week, a few other security stories deserve some love. Here are your top five of the week – get caught up for the weekend!
Michaels Credit Card Breach: 3 Million Customers At Risk
The arts and crafts chain Michaels Stores Inc. this week reported that they suffered two separate security breaches spanning eight months. The breach, which was first reported in January, exposed up to three million customers credit and debit card data.
“The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period,” the statement on their website says.
That number is probably less than they were expecting, having come so close to the massive Target breach. In addition to the Michaels breach, customers of Aaron Brothers, owned by Michaels, was victim to a separate breach, in which around 400,000 customers are at risk.
“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement continues. The company is offering free identity protection and credit monitoring for affected customers.
Continue reading about the Michaels announcement here.
WhatsApp Security Flaw Exposes User Locations
Another security vulnerability was found in the popular WhatsApp messenger platform. Researchers at UNH Cyber Forensics Research & Education Group discovered that when you use the apps’ “send my location” feature, an image of your location is sent unencrypted to the other party. The flaw leaves users wide open to surveillance and possible exploitation.
After submitting their findings to the WhatsApp team, the company responded that they already have a fix on the way “in the next release on each platform”. Until then, you’re advised not to use the send my location feature, as you could be opening yourself up to Man-In-The-Middle attacks or just some good old-fashioned spying.
Last month, right after it was acquired by Facebook for a cool $16 billion, a security consultant found a flaw that would allow a rogue or malicious app to see and steal users’ private WhatsApp chats. That vulnerability was only found on the Android platform, since WhatsApp data is saved to the phone’s microSD card, which can be read by any app you’ve given it permission to access.
Continue reading about the flaw here.
New iBanking Android Malware Targeting Facebookers
An advanced Android Trojan app is being targeted towards Facebook users in an attempt to bypass its’ two-factor authentication feature. The mobile Trojan was originally concocted for e-banking fraud and, once installed on a phone, has the ability to capture texts, redirect calls and capture audio.
In reality, there is no such app by Facebook on the market. When a victim downloads the app, they’ll be taken to a screen that asks them to generate a security code to access Facebook. That number won’t work. Instead, the app turns on two services in the background that can perform all the malicious actions mentioned earlier, as well as trying to erase all user data, send texts to the victim, leak the GPS and more.
The Trojan apps source code was released just last month in an underground forum, which prompted security researchers to warn of new uses for the nasty app. Apparently, a little social engineering was on the agenda.
Continue reading about the Trojan here.
Critical Java Update Patches 35+ Vulnerabilities
37 updates were released for Java SE on Tuesday, with four of them deemed critical after getting a CVSS (Common Vulnerability Scoring System) rating of 10 (out of 10). CVSS ratings of anything over 7.0 are considered severe, and the four critical updates could be exploited in the coming days or weeks, so it’s well-advised to update ASAP if you’re a Java user.
Read more about the Java update here.
Hackers Try To Blackmail Cosmetic Surgery Firm With Nearly 500,000 Stolen Records
Cybercriminals in the UK recently tried to blackmail the Harley Medical Group, a chain of cosmetic surgery centers after they hacked into the clinic’s system and stole up to 480,000 patient records. The hackers apparently exploited flaws in their websites contact form, allowing them full access to the clinics patient database.
Stolen information from the clinic’s 21 location chain included names of current and potential clients, home addresses, and other contact info, plus the potentially more damaging details about the specific operations patients received or were looking to receive.
Harley Medical Group did not pay up, instead contacting authorities. The Group has been notifying customers of the incident and they insist that no financial or medical data was taken. They’re almost lucky the hackers tried to blackmail them; had they been hacktivists, they may have just released the data – any businesses nightmare. The clinic isn’t yet aware of how the intruders got into their database, but they are definitely going to take steps to try and ensure this doesn’t happen again.
Read more about the extortion attempt here.