Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

Samsung Says: Its Safe

Monday, 04 July 2016 05:30

Samsung has said that all customer data are safe, and its Samsung Pay system has not been affected after it was revealed that Chinese hackers breached the network of its U.S. subsidiary LoopPay in March.

The attack, which was uncovered in late August, targeted the company's office network, but Samsung claimed no customer data were at risk and the incident was dealt with "immediately and comprehensively" by LoopPay. Despite the attack taking place over six months ago, it only came to light Wednesday when the New York Times published a report which laid the blame for the attack on a hacking group known as the Codoso Group or Sunshock Group, which is said to be affiliated with the Chinese government.

The report suggests that the hackers were after the technology developed by the company rather than details of customers' payment transactions. The attack breached the security of three internal servers at LoopPay's offices in Woburn, Massachusetts.

LoopPay is a subsidiary of the South Korean electronics giant and handled mobile payments before the company introduced its proprietary Samsung Pay system earlier this year as a direct challenger to Apple Pay. LoopPay was acquired by Samsung in February for $250 million and the company has used its technology -- known as magnetic secure transmission or MST -- in its implementation of Samsung Pay.

A statement by the South Korean company said: "Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay office network, which is a physically separate network from Samsung Pay. The LoopPay incident was resolved and had nothing to do with Samsung Pay."

Chinese Tension

Samsung Pay launched in the U.S. just last week after a successful debut in South Korea where it racked up $30 million worth of purchases in just one month and is seen as a competitor for Apple Pay and Google's own Android Pay systems. Unlike its competitors, however, Samsung's use of MST technology gives it an advantage of allowing it to be used on older cash registers that support magnetic stripe cards.

The theft of intellectual property belonging to U.S. companies by Chinese hackers is a hot topic at the moment, after Washington called on Chinese President Xi Jinping to help prevent this during his recent state visit to the White House. The result of the summit was a range of agreements to help prevent these incidents, including the provision of a new high-level contact group and assurances to investigate complaints from each other -- and resolve them where possible.

The breach of LoopPay's internal network took place in March, but the company was only made aware of it in late August when the security company investigating the operations of the Codoso Group found information relating to LoopPay. The same group was also responsible for a sophisticated attack on the Forbes website earlier this year, which infected visitors to the website.

"They Will Come Back"

While Samsung says its new payment system has not been compromised, some security experts disagree, saying that once such an attack takes place, it is very difficult to remove the threat from your network. “Once Codoso compromises their targets -- which range from dissidents to C-level executives in the U.S. -- they tend to stay there for quite a long time, building out their access points so they can easily get back in,” John Hultquist, head of intelligence on cyber-espionage at iSight Partners, told the New York Times. “They’ll come back to a previous organization of interest again and again.”

Samsung, however, is confident its new system is safe and secure: "Each transaction uses a digital token to replace a card number. The encrypted token combined with certificate information can only be used once to make a payment. Merchants and retailers can’t see or store the actual card data," it said.

Speaking to International Business Times, Mark Bower, global director, enterprise data security for HP Data Security, said that this type of attack is all too common. "Any company today has to assume a breach will happen and take more advanced threat mitigation measures. The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides."

Read More

Imagine waking up on a splendid spring day, opening your laptop and realising that you can’t access your online accounts anymore. Your email has been breached, your website, your most precious work, is now gone, and your credit card was used for shady transactions.

In a nutshell, this is what I experienced almost 6 years ago.

All the ruckus was caused by one of my ex-employees, whom I had recently fired. I suppose this was his way to get revenge.

Fortunately, he didn’t cause any unfixable damage, but made me a little bit paranoid about my online security. Ever since I’ve been trying to adopt every measure within reach in order to avoid future similar hacks. But I’ll share more on what I’ve learned from this experience in a separate article I’m writing.

This week’s cyber security guide is about something that, if it had been available back then, probably none of this would have happened: Two-Factor Authentication.

So, what exactly is Two-Factor Authentication?

Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double check that your identity is legitimate.

How does Two-Factor Authentication work?

When you want to sign into your account, you are prompted to authenticate with a username and a password – that’s the first verification layer.

Gmail login procedure (email and password)

Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.

Gmail - login - enter verification code

Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account.

However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.

What are the authentication factors?

There are 3 main categories of authentication factors:

1. Something that you know – This could be a password, a PIN code or answer to a secret question.

2. Something that you have – This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.

3. Something that you are – This is a biological factor, such as a face or voice recognition, fingerprint, DNA, handwriting or retina scan. However, some of these are quite expensive, so, unless you work in a top secret / Mission Impossible kind of facility, you probably don’t have this kind of authentication method implemented.

Read More

It will also be safer to try on iOS based devices like the iPad or iPhone, because by that time, developers will have spotted all of its major bugs and problems and Apple will have made the proper modifications. At the time, we weren't sure if this was done purposefully, or if it was a human error and that it would be corrected in the forthcoming betas of iOS 10. If you do not want to apply for Apple's developer account and still like to try the iOS 10 beta, follow this guide.

Like many technology companies, Cupertino does not now run a bug bounty program that awards cash prize to security researchers that find security holes in the company's software. But rather than an oversight by Apple, experts told MIT Technology Review it could be a novel strategy from Apple to encourage researchers to report flaws.

Still, security experts note that since the company's showdown with the Federal Bureau of Investigation over encryption, Apple's devices have been closely scrutinized and the company's security measures have become a central focus for many in the security field. This move could potentially be used by "jailbreakers" - people who release code that removes an operating system's restrictions to allow a wider range of software to be used. It might now be a good idea to launch one. This came as surprising news, especially considering Apple's vocal stance on user privacy and security. According to Fortune, Apple might have anxious some users when it was revealed the company unencrypted the kernel in iOS 10.

Apple recently showed off a preview version of iOS 10 at a developer’s conference and as developers are wont to do they immediately hacked into the code to see what they could find inside. However, the company has now responded saying that this was in fact a strategic move, and was done to optimize the OS performance.

The kernel controls how apps access hardware resources and manages security. The tech giant probably released the unencrypted beta version to expand its debugging strategy. And, the security experts were quite surprised when they found that the smartphone maker had not obscured the workings of the center of its OS by using encryption as it did before. 

Read More

Star Wars: Yes here it goes live, Battlefront Bespin DLC

Wednesday, 22 June 2016 05:30

The second of Battlefront’s 4 DLC packs is prepared to play now for everyone, and includes 5 new maps and a Cloud Car.

Considering how costly a deteriorate pass is, a initial DLC enlargement for Star Wars: Battlefront didn’t accurately get things off to an moving start. But a second one is out now and does during slightest embody a new location: Bespin’s Cloud City from The Empire Strikes Back.

We’ve only had a discerning go and it contains 5 new maps, a new diversion mode called Sabotage, and a new Twin-Pod Cloud Car to commander in Fighter Squadron (it’s really tiny and comes with a sensor jammer, a bit like a Snowspeeder).

The dual new characters are Lando Calrissian and a annuity hunter Dengar. You also get a new Hutt Contract, new weapons, and new Star Cards.

We don’t consider it’s going to change anyone’s mind about a game, generally as it costs £12 when bought separately, though during slightest it’s some-more estimable than a initial one.

Released during a same time is a giveaway refurbish that increases a turn top to 70, adds new dress options for Rebels and Imperials, and a long list of tweaks and balancing changes.

The third DLC enlargement is due this autumn and will be formed around a Death Star(s). The fourth and final enlargement is due in early 2017 and a essence are now a secret.

It’s ordinarily suspicion that it will deliver elements from this Christmas’ Rogue One movie, though after a proclamation of Battlefront 2 for subsequent year that no longer seems so certain.