Google announced on Friday the dates and prizes for the company’s second annual capture the flag (CTF) competition.
The qualifying round, for which nearly 200 teams have already signed up, will take place on June 17 and 18. The top 10 teams will be invited to one of Google’s offices for the final round.
Cybercriminals have been leveraging a new technique, which involves PowerPoint files and mouseover events, to get users to execute arbitrary code on their systems and download malware.
OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
Headquartered in San Francisco, OneLogin provides single sign-on and identity management for cloud-base applications. OneLogin counts among its customers some 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers.
A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer’s usernames and passwords for all of their other applications.
In a brief blog post Wednesday, OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized access to OneLogin data.
“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.”
“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”
OneLogin’s blog post includes no other details, aside from a reference to the company’s compliance page. The company has not yet responded to request for comment. However, Motherboard has obtained a copy of a message OneLogin reportedly sent to its customers about the incident, and that missive contains a critical piece of information:
“Customer data was compromised, including the ability to decrypt encrypted data,” reads the message OneLogin sent to customers.
According to Motherboard, the message also directed customers to a list of required steps to minimize any damage from the breach, such as generating new API keys and OAuth tokens (OAuth being a system for logging into accounts), creating new security certificates as well as credentials; recycling any secrets stored in OneLogin’s Secure Notes feature; and having end-users update their passwords.
Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.
“It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”
KrebsOnSecurity will likely update this story throughout the day as more details become available.
Update 7:54 p.m ET: OneLogin posted an update to its blog with more details about the breach:
Source: KREBS ON SECURITY
“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”
“The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.”
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems.
Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in common: They were all used at Kmart locations.
Asked to respond to rumors about a card breach, Kmart’s parent company Sears Holdings said some of its payment systems were infected with malicious software:
“We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”
“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”
Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”
Sears spokesman Chris Brathwaite said the company is not commenting on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.
“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation,” Sears Holdings said in its statement. “We are actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.”
In October 2014, Sears announced a very similar breach in which the company also stressed that the data stolen did not include customer names, email addresses or other personal information.
Both breaches involved malware designed to steal credit and debit card data from hacked point-of-sale (POS) devices. The malware copies account data stored on the card’s magnetic stripe. Armed with that information, thieves can effectively clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers.
At least two financial industry sources told KrebsOnSecurity that the breach does not appear to be affecting all Kmart stores. Those same sources said that if the breach had hit all Kmart locations, they would expect to be seeing much bigger alerts from the credit card companies about accounts that are potentially compromised.
All Kmart stores in the United States now have credit card terminals capable of processing transactions from more secure chip-based cards. The chip essentially makes the cards far more difficult and expensive to counterfeit. But not all banks have issued customers chip-enabled cards yet, and thus this latest breach at Kmart likely impacts mainly Kmart customers who shopped at the store using non-chip enabled cards.
Visa said in March 2017 there were more than 421 million Visa chip cards in the country, representing 58 percent of Visa cards. According to Visa, counterfeit fraud has been declining month over month — down 58 percent at chip-enabled merchants in December 2016 when compared to the previous year.
Sears also has released a FAQ (PDF) that includes a bit more information about this breach disclosure.Source: KREBS ON SECURITY