While the Heartbleed bug again dominated the news this week, a few other security stories deserve some love. Here are your top five of the week – get caught up for the weekend!
The arts and crafts chain Michaels Stores Inc. this week reported that they suffered two separate security breaches spanning eight months. The breach, which was first reported in January, exposed up to three million customers credit and debit card data.
“The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period,” the statement on their website says.
That number is probably less than they were expecting, having come so close to the massive Target breach. In addition to the Michaels breach, customers of Aaron Brothers, owned by Michaels, was victim to a separate breach, in which around 400,000 customers are at risk.
“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement continues. The company is offering free identity protection and credit monitoring for affected customers.
Continue reading about the Michaels announcement here.
Another security vulnerability was found in the popular WhatsApp messenger platform. Researchers at UNH Cyber Forensics Research & Education Group discovered that when you use the apps’ “send my location” feature, an image of your location is sent unencrypted to the other party. The flaw leaves users wide open to surveillance and possible exploitation.
After submitting their findings to the WhatsApp team, the company responded that they already have a fix on the way “in the next release on each platform”. Until then, you’re advised not to use the send my location feature, as you could be opening yourself up to Man-In-The-Middle attacks or just some good old-fashioned spying.
Last month, right after it was acquired by Facebook for a cool $16 billion, a security consultant found a flaw that would allow a rogue or malicious app to see and steal users’ private WhatsApp chats. That vulnerability was only found on the Android platform, since WhatsApp data is saved to the phone’s microSD card, which can be read by any app you’ve given it permission to access.
Continue reading about the flaw here.
An advanced Android Trojan app is being targeted towards Facebook users in an attempt to bypass its’ two-factor authentication feature. The mobile Trojan was originally concocted for e-banking fraud and, once installed on a phone, has the ability to capture texts, redirect calls and capture audio.
In reality, there is no such app by Facebook on the market. When a victim downloads the app, they’ll be taken to a screen that asks them to generate a security code to access Facebook. That number won’t work. Instead, the app turns on two services in the background that can perform all the malicious actions mentioned earlier, as well as trying to erase all user data, send texts to the victim, leak the GPS and more.
The Trojan apps source code was released just last month in an underground forum, which prompted security researchers to warn of new uses for the nasty app. Apparently, a little social engineering was on the agenda.
Continue reading about the Trojan here.
37 updates were released for Java SE on Tuesday, with four of them deemed critical after getting a CVSS (Common Vulnerability Scoring System) rating of 10 (out of 10). CVSS ratings of anything over 7.0 are considered severe, and the four critical updates could be exploited in the coming days or weeks, so it’s well-advised to update ASAP if you’re a Java user.
Read more about the Java update here.
Cybercriminals in the UK recently tried to blackmail the Harley Medical Group, a chain of cosmetic surgery centers after they hacked into the clinic’s system and stole up to 480,000 patient records. The hackers apparently exploited flaws in their websites contact form, allowing them full access to the clinics patient database.
Stolen information from the clinic’s 21 location chain included names of current and potential clients, home addresses, and other contact info, plus the potentially more damaging details about the specific operations patients received or were looking to receive.
Harley Medical Group did not pay up, instead contacting authorities. The Group has been notifying customers of the incident and they insist that no financial or medical data was taken. They’re almost lucky the hackers tried to blackmail them; had they been hacktivists, they may have just released the data – any businesses nightmare. The clinic isn’t yet aware of how the intruders got into their database, but they are definitely going to take steps to try and ensure this doesn’t happen again.
Read more about the extortion attempt here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.