Sandwich Chain Jimmy John’s Investigating Breach Claims

Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.
Multiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.
Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”
The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.
Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and Goodwill Industries (all breaches first reported on this blog).
According to the company’s Wikipedia page, there are more than 1,900 Jimmy John’s stores in at least 43 states. Nearly all Jimmy John’s locations (~98 percent) are franchisee-owned, meaning they are independently operated and may not depend on common information technology infrastructure.
However, multiple stores contacted by this author said they ran point-of-sale systems made by Signature Systems Inc. The company’s PDQ QSR point-of-sale product is apparently recommended as the standard payment solution for new Jimmy John’s franchise owners nationwide. Signature Systems did not immediately return calls for comment.
Reports of a possible card compromise at Jimmy John’s comes amid news that the Delaware Restaurant Association is warning its members about a new remote-access breach that appears to have been the result of compromised point-of-sale software.
Update: An earlier version of this story incorrectly stated that Jimmy John’s was based in Charleston, Ill.; rather, it was founded there. The copy above has been corrected.

Anonymous Group Takes Down Mossad’s Website Over Gaza Conflict

The hacktivist group Anonymous has reportedly taken down the official website of the Israeli intelligence agency Mossad against Israel’s military incursion in Gaza, which has resulted in hundreds of civilian casualties. The government of Israel has yet to comment on the Mossad hack attack.

The ‘Hacktivists’ were able to take down Mossad’s website in a Distributed Denial of Service <(DDoS) attack early morning, claims a statement on one of the Anonymous hacker’s Twitter account. The attack on the website is supposed to be severe as it has been over 10 hours and the site is still down at the time of writing.

The Anonymous group has already targeted a number of other Israeli organizations as part of a campaign titled “Operation Save Gaza” in the mission to stop this “massacre.”

Anonymous group has also claimed responsibility of taking down multiple Israeli government sites following the death of one of the organization’s members. The member named Tayeb Abu Shehada, a 22-year-old, was killed during a protest in the village of Huwwara in the West Bank by Israeli forces over the weekend.

The hacktivist group launched a hacking campaign Operation Save Gaza against Israeli government coinciding with the Israel’s Operation Protective Edge on July 7. Since then, Anonymous group have taken down “thousands” of Israeli-based websites including Israel’s Defence Ministry and the Tel Aviv Police websites.

“We are calling upon the Anonymous collective, and the elite hacker groups to join our crusade, and to wage cyber war against the state of Israel once more,” said a public statement from the group posted online last Friday. “As a collective ‘Anonymous’ does not hate Israel, it hates that Israel’s government is committing genocide & slaughtering unarmed people in Gaza to obtain more land at the border.“

As the news broke that hundreds of “Israeli government home pages have been replaced by graphics, slogans, and auto-playing audio files,” Anonymous claimed responsibility for the attacks, further releasing 170 log-in details last Monday which they claimed belonged to Israeli officials.

Two years ago, the same group launched hundreds of attacks on Israeli sites with #OpIsrael targeting Israeli websites, during the Israeli Defense Force’s (IDF) previous operation ‘Pillar of Defense’ in Gaza.

The Israeli Foreign Ministry’s data was completely wiped out and the group was able to leak the data of 5,000 Israeli officials as well as hacked into the Israeli Deputy Premier’s Facebook and Twitter accounts, thereby replacing it with pro-Palestinian messages.

Also a year back, the group claimed to have attacked 100,000 websites, stating that their attacks had caused $3 billion in damages to Israel.

CIA admits to spying on Senate committee

After months of denials, CIA Director John Brennan apologizes for spying on Senate Intelligence Committee computers.

Central Intelligence Agency Director John Brennan Chip Somodevilla/Getty Images

The Central Intelligence Agency on Thursday admitted that it improperly gained access to computers used by the Senate Intelligence Committee to prepare a report on a CIA detention and interrogation program.
The agency's inspector general -- an internal watchdog -- concluded that some CIA employees "acted in a manner inconsistent with the common understanding" between the CIA and the Senate when it penetrated the computer network, said CIA spokesperson Dean Boyd in a statement shared with CNET News.
CIA Director John Brennan apologized to Intelligence Committee Chairwoman Dianne Feinstein and Vice Chairman Saxby Chambliss about the actions of some of the agency's officials. Brennan is forming an accountability committee, led by former Indiana Sen. Even Bayh, that will examine the inspector general's report and recommend potential disciplinary action and ways to address broader issues.
The independent computer network that the CIA tapped was established in 2009 for Congress to review CIA documents during an investigation into alleged torture and abuse in a detention and interrogation program from the George W. Bush administration.
The CIA snooping became public in March after Sen. Feinstein accused the agency of improperly monitoring the computer network. Today's apology comes after months of denial from Brennan.
"When the facts come out on this, I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrong," Brennan said at the time, according to The New York Times.
The Senate's more than 6,000 page report on the now-defunct detention and interrogation program will be released to the public, possibly as soon as next month, according to The Hill.

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.
Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.
We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.
USB thumb drives are typically a block of flash memory with a micro-controller attached to it; this controller chip has its own RAM scratch pad, and a tiny operating system in the firmware telling it how to interface the flash with the outside world via USB. This firmware can be reprogrammed to do unintended stuff – if you've worked out how to do so.
For a few years now, this sort of attack has been known to be possible: infosec types even dubbed malicious USB devices "plug and prey."
Now we're told it's a reality. There's no need for custom hardware, which we've seen before – instead generic yet supported chips on USB sticks can be reprogrammed to infect a host PC with malware that then infects any other supported devices plugged into it, sparking a rather irritating infection.
"No effective defenses from USB attacks are known," claimed SR Labs.
"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."

How it's supposed to work

The two, who will present a full technical talk and proof-of-concept code at next week's Black Hat conference in Las Vegas, designed BadUSB to convince the target computer that a USB thumb drive is also a USB keyboard – which quickly feeds a string of characters to the computer as if typed by the user.
This string could, on Windows, open a cmd.exe box, run an executable on the flash drive that installs further malware, or open an Internet Explorer window and surf to a website that exploits a vulnerability in IE or Adobe Flash to inject malware. The drives can also be configured to impersonate a network card and redirect traffic.
It's all possible because USB devices can be multi-function: when they are plugged into a computer, they announce to the operating system, via the USB protocol, what kind of device they are so that the correct drivers are loaded and the gadget is usable.
Usually, a thumb drive announces itself as mass storage. If it also announces itself as a keyboard, today's desktop operating systems play along and attach it as another keyboard source to cause mischief.
Before you start panicking and throwing away your peripherals, there are a few caveats to the research.

1. Not every USB chip

Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.
For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

• A USB thumb drive that rapidly injects key-presses to download and run malicious software before the user can stop it. This is triggered by plugging the device into the PC.
• A USB thumb drive that boots the PC, tampers with the operating system installation to cause further misery, and then boots the machine proper.
• A USB thumb drive that announces itself as a network card, allowing it to reconfigure the machine's DNS settings to redirect internet traffic into hackers' hands.

Earlier this year, at Shmoocon 2014, Richard Harmamn gave a presentation on his research into analyzing USB micro-controllers and studying their firmware and security features. Phison, he pointed out, has a tool called MPAll which allows firmware to be rewritten – although it's hard work crafting a working rogue firmware as the chip internals aren't documented.

2. Security versus cost

Secondly, it may be possible for device manufacturers to deal with these problems themselves. Controllers could be designed to only accept new firmware that is cryptographically proven to be legit, for example, but that would increase the complexity and the cost of these cheap-as-pennies chips.
There is, though, room for increased security, we're told.
"The USB specifications support additional capabilities for security, but original equipment manufacturers (OEM’s) decide whether or not to implement these capabilities in their products. OEMs develop products based on consumer demand," a spokeswoman from the USB Implementers Forum told El Reg in an email.
"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."
At the moment it's unlikely that manufacturers are going to do anything that would drive up the price of USB devices. (Operating system developers could, of course, consider rejecting bizarre USB function combinations.)
If someone were to develop malware that infected PCs from thumb drives and then silently reprogrammed other connected thumb drives to spread again, it's unlikely that anyone's going to whine about paying a few pennies more for something that's locked down.

Retailers shot up by PoS scraping brute force cannon

The US Computer Emergency Response Team has warned of a new point of sale malware that is targeting retailers.
The malware is a RAM-scraper of the kind made infamous by the Target breach that saw attackers plant wares on terminals to nab credit cards while they were temporarily unencrypted.

This attack uses a new tool delivered through an increasingly common vector; Attackers implanted the malware dubbed BackOff on the point of sales (PoS) terminals of several unnamed retailers by brute forcing passwords protecting remote desktop protocol channels.
"Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications," US-CERT warned in an alert.
"After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the PoS malware and subsequently exfiltrate consumer payment data via an encrypted POST request."
It was spotted in three forensic investigations dating to October last year which found it could scrap card track data from PoS memory, log keystrokes, and maintain persistence by tapping into explorer.exe.

Image: Slava Gomzin

The malware and its kin are a huge threat to retailers of all stripes because there is little business can do to prevent cards being swiped without significantly overhauling infrastructure, HP technologist Slava Gomzin warned.
The veteran PoS hacker considered the Payment Card Industry Data Security Standard (PCI DSS) all but bollocks and said it did little to prevent credit card theft.
The only way businesses could prevent carder raids was to stump up and pay for point-to-point encryption (P2PE).
"Deploying P2PE for large retailers is really realistic, but it requires a lot of financial resources and hardware changes. It is the primary reason why most retailers don't have it yet," Gomzin told The Register.
"Point to Point encryption requires a lot of changes to the back end."
Security controls included in or similar to PCI DSS were still required within data centres where credit card data was decrypted for server applications, but P2PE was generally a far more secure means of safeguarding transactions.
The technology proved itself during the Target breach, Gomzin said, where US stores that did not have P2PE in place had 40 million cards stolen by thieves, while the Canada chain which had deployed the crypto was untouched.

Image: Slava Gomzin

He said there were signs that retailers were moving to point to point encryption but did not have numbers on how many had adopted the technology since the Target icing. Most big businesses were aware of the need to, however, but were not keen on facing the disruption.
Neohapsis security consultant Joe Schumacher said organisations should check their remote access points for weaknesses.
"For limiting the risk of compromise with [BackOff], organisations should educate employees and provide an approved method for remote access," Schumacher said.
"Companies should also perform network scans to see if systems have specific ports enabled to provide the remote access services, then follow up to turn off the service. If a small organization must rely on a third-party for remote access services then trust within the industry should be examined along with security features that can be enabled for protection."